Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

back

Administration

search

Please Note:

Administration

CipherTrust Batch Data Transformation (BDT) is a command line utility that is used to transform (encrypt/tokenize) data in files and databases. It is a policy-based tool and can efficiently transform bulk data. It can also be used for rekey operations.

BDT Architecture

The BDT utility works with CipherTrust Manager (CM) for key management, and CipherTrust Vaultless Tokenization (CT-VL) for tokenization.

BDT Policy

The BDT utility's actions are based on a policy. For each action or group of actions that you want to perform with the utility, you need to define a policy.

The BDT policy defines the rules on how to perform a transformation of the data provided by the input files or databases. The policy can be configured in a file locally or on a CipherTrust Manager (CM) instance that is serving as a centralized manager for configuration, allowing for easier reuse and maintenance. Refer to Setting up BDT Policy for details.

Supported File Formats and Databases

BDT supports the following file formats:

  • CSV File

  • Fixed Length File

BDT is supported with the following databases. The table below lists the versions tested with.

DatabaseTested Version
MySQL8.0, 8.0.27
Oracle12c, 19c
IBM DB210.5, 11.5.7
SAP HANA2.0
Microsoft SQL Server2017, 2019

Supported Transformations

  • Database to database (DB-to-DB): Encrypt, decrypt, tokenize, detokenize, or rekey the data of a database table and move it to another database. Multiple tables can be transformed in a single execution of the utility. You can choose table columns and specify what action needs to be performed on a particular column.

  • Database to file (DB-to-File): Encrypt, decrypt, tokenize, detokenize, or rekey the data of a database table and move it to another file. You can choose table columns and specify what action needs to be performed on a particular column.

  • File to database (File-to-DB): Encrypt, decrypt, tokenize, detokenize, or rekey the data of a file and move it to another database. You can choose file columns and specify what action needs to be performed on a particular column.

  • File to file (File-to-File): Encrypt, decrypt, tokenize, detokenize, or rekey the data of a file and move it to another file. You can choose file columns and specify what action needs to be performed on a particular column.

Refer to BDT Transformation Process for details.

Supported Encryption Algorithms

Expand (click +) to view details.

FF1

Key Size (in bits)128 (default)
192
256
Tweak DataTweak data is mandatory. The value must be 16 characters HEX encoded string.
Additional Notes• FF1 supports only non-versioned AES Keys.

• FF1 is supported when symmetric key cache is enabled.

• FF1 requires minimum two characters to perform encryption. The maximum data length can be 128000 characters.

• While performing crypto operations, the characters in the input data other than those specified in the character set range, are preserved and do not get encrypted.

• While performing transformation, the character set range cannot be updated.

• While performing decryption, do not modify the character set range, it must be same as encrypt.

FF3

Key Size (in bits)128 (default)
192
256
Tweak DataTweak data is mandatory. The value must be 16 characters HEX encoded string.
Additional Notes• FF3 supports only non-versioned AES Keys.

• FF3 is supported when symmetric key cache is enabled.

• FF3 requires minimum two characters to perform encryption. The maximum data length can be 128000 characters.

• While performing crypto operations, the characters in the input data other than those specified in the character set range, are preserved and do not get encrypted.

• While performing transformation, the character set range cannot be updated.

• While performing decryption, do not modify the character set range, it must be same as encrypt.

FPE_AES

Note

The number of characters in the character set range are treated as cardinality for the input data.

IVWhen cardinality is y, a x characters IV is used when data size is > x characters.

Corresponding value of x is derived using the following formula:
double lg = Math.log10(Math.pow((double)2,(double)96))/Math.log10((double)CharacterSet_size); double block_len = 2 * Math.floor(lg);
The table with cardinality and corresponding IV value based on the above formula is provided here.

The value of each HEX encoded byte in the IV value will be in the range 00 to cardinality-1.

For example, when CARD62 is used, the maximum value will be 3D (hex encode of 62-1=61).

In the following IV for CARD62, the hex 0A lies in the range 00 to cardinality-1, that is, 00 to 3D:
0102030405060708090A0B0C0D0E0F1000303132333435363738393A3B3C3D3D
Key Size (in bits)128 (default)
192
256
Tweak AlgorithmSpecify a hashing algorithm to be applied to specified tweak data.

Following are the valid values:

• None
• SHA1
• SHA256
Tweak DataFPE_AES uses the tweakable cipher concept to protect against statistical attacks due to potentially small input/output space.

If tweak data algorithm is None or absent, the value must be HEX encoded string representing 64-bit long (hence, HEX encoding will consume 16 characters).
Additional Notes• Default tweak algorithm will be None, if invalid or Null value is provided.

• FPE_AES supports only non-versioned AES Keys.

• FPE_AES is supported when symmetric key cache is enabled.

• While performing crypto operations, the characters in the input data, other than those specified in the character set range, are preserved and do not get encrypted.

• If any character other than those specified in the character set range, are present in the input data, you must calculate the effective input data length and provide IV accordingly.

• FPE_AES requires minimum four characters to perform encryption.

• While performing transformation, the character set range cannot be updated.

• While performing decryption, do not modify the character set range, it must be same as encrypt.

DESede

Block Size8 bytes
Supported ModesECB
CBC
Padding SchemesPKCS5Padding
NoPadding
IVCBC mode requires 8 characters or 8 HEX encoded characters IV.
Key SizeSupported key sizes are 168 (default) and 112 bits.
Each key contains an extra 8 bits of parity. Thus, when you create a key of 112 bits, the actual key size is 128 bits; when you create a key of 168 bits, the actual key size is 192 bits.
Additional Notes• When using DESede with NoPadding, then data for encryption must be in multiples of 8 bytes.

• DESede is supported when symmetric key cache is either enabled or disabled.

AES_CTR

Block Size16 bytes
Padding SchemesPKCS5Padding
NoPadding
IVCTR mode requires 16 characters or 16 HEX encoded characters IV.
Key Size (in bits)128 (default)
192
256
Additional Notes• AES_CTR is supported when symmetric key cache is enabled.

• By default, AES_CTR is with NoPadding.

AES_CBC_PAD

Block Size16 bytes
Padding SchemesPKCS5Padding
NoPadding
IVCBC mode requires 16 characters or 16 HEX encoded characters IV.
Key Size (in bits)128 (default)
192
256
Additional Notes• AES_CBC_PAD is supported when symmetric key cache is either enabled or disabled.

• By default, AES_CBC_PAD is with PKCS5Padding.

Supported Tokenization Algorithms

BDT supports the following tokenization algorithms (supported by CT-VL):

  • FF1, FF1-luhn

  • FF3, FPE-luhn

  • Dates, Random, Random-luhn

Refer to CipherTrust Vaultless Tokenization (CT-VL) for details.