Administration
CipherTrust Batch Data Transformation (BDT) is a command line utility that is used to transform (encrypt/tokenize) data in files and databases. It is a policy-based tool and can efficiently transform bulk data. It can also be used for rekey operations.
BDT Architecture
The BDT utility works with CipherTrust Manager (CM) for key management, and CipherTrust Vaultless Tokenization (CT-VL) for tokenization.
BDT Policy
The BDT utility's actions are based on a policy. For each action or group of actions that you want to perform with the utility, you need to define a policy.
The BDT policy defines the rules on how to perform a transformation of the data provided by the input files or databases. The policy can be configured in a file locally or on a CipherTrust Manager (CM) instance that is serving as a centralized manager for configuration, allowing for easier reuse and maintenance. Refer to Setting up BDT Policy for details.
Supported File Formats and Databases
BDT supports the following file formats:
CSV File
Fixed Length File
BDT is supported with the following databases. The table below lists the versions tested with.
| Database | Tested Version |
|---|---|
| MySQL | 8.0, 8.0.27 |
| Oracle | 12c, 19c |
| IBM DB2 | 10.5, 11.5.7 |
| SAP HANA | 2.0 |
| Microsoft SQL Server | 2017, 2019 |
Supported Transformations
Database to database (DB-to-DB): Encrypt, decrypt, tokenize, detokenize, or rekey the data of a database table and move it to another database. Multiple tables can be transformed in a single execution of the utility. You can choose table columns and specify what action needs to be performed on a particular column.
Database to file (DB-to-File): Encrypt, decrypt, tokenize, detokenize, or rekey the data of a database table and move it to another file. You can choose table columns and specify what action needs to be performed on a particular column.
File to database (File-to-DB): Encrypt, decrypt, tokenize, detokenize, or rekey the data of a file and move it to another database. You can choose file columns and specify what action needs to be performed on a particular column.
File to file (File-to-File): Encrypt, decrypt, tokenize, detokenize, or rekey the data of a file and move it to another file. You can choose file columns and specify what action needs to be performed on a particular column.
Refer to BDT Transformation Process for details.
Supported Encryption Algorithms
Expand (click +) to view details.
FF1
| Key Size (in bits) | 128 (default) 192 256 |
| Tweak Data | Tweak data is mandatory. The value must be 16 characters HEX encoded string. |
| Additional Notes | • FF1 supports only non-versioned AES Keys. • FF1 is supported when symmetric key cache is enabled. • FF1 requires minimum two characters to perform encryption. The maximum data length can be 128000 characters. • While performing crypto operations, the characters in the input data other than those specified in the character set range, are preserved and do not get encrypted. • While performing transformation, the character set range cannot be updated. • While performing decryption, do not modify the character set range, it must be same as encrypt. |
FF3
| Key Size (in bits) | 128 (default) 192 256 |
| Tweak Data | Tweak data is mandatory. The value must be 16 characters HEX encoded string. |
| Additional Notes | • FF3 supports only non-versioned AES Keys. • FF3 is supported when symmetric key cache is enabled. • FF3 requires minimum two characters to perform encryption. The maximum data length can be 128000 characters. • While performing crypto operations, the characters in the input data other than those specified in the character set range, are preserved and do not get encrypted. • While performing transformation, the character set range cannot be updated. • While performing decryption, do not modify the character set range, it must be same as encrypt. |
FPE_AES
Note
The number of characters in the character set range are treated as cardinality for the input data.
| IV | When cardinality is y, a x characters IV is used when data size is > x characters. Corresponding value of x is derived using the following formula: The table with cardinality and corresponding IV value based on the above formula is provided here. The value of each HEX encoded byte in the IV value will be in the range 00 to cardinality-1. For example, when CARD62 is used, the maximum value will be 3D (hex encode of 62-1=61). In the following IV for CARD62, the hex 0A lies in the range 00 to cardinality-1, that is, 00 to 3D:
|
| Key Size (in bits) | 128 (default) 192 256 |
| Tweak Algorithm | Specify a hashing algorithm to be applied to specified tweak data. Following are the valid values: • None • SHA1 • SHA256 |
| Tweak Data | FPE_AES uses the tweakable cipher concept to protect against statistical attacks due to potentially small input/output space. If tweak data algorithm is None or absent, the value must be HEX encoded string representing 64-bit long (hence, HEX encoding will consume 16 characters). |
| Additional Notes | • Default tweak algorithm will be None, if invalid or Null value is provided. • FPE_AES supports only non-versioned AES Keys. • FPE_AES is supported when symmetric key cache is enabled. • While performing crypto operations, the characters in the input data, other than those specified in the character set range, are preserved and do not get encrypted. • If any character other than those specified in the character set range, are present in the input data, you must calculate the effective input data length and provide IV accordingly. • FPE_AES requires minimum four characters to perform encryption. • While performing transformation, the character set range cannot be updated. • While performing decryption, do not modify the character set range, it must be same as encrypt. |
DESede
| Block Size | 8 bytes |
| Supported Modes | ECB CBC |
| Padding Schemes | PKCS5Padding NoPadding |
| IV | CBC mode requires 8 characters or 8 HEX encoded characters IV. |
| Key Size | Supported key sizes are 168 (default) and 112 bits. Each key contains an extra 8 bits of parity. Thus, when you create a key of 112 bits, the actual key size is 128 bits; when you create a key of 168 bits, the actual key size is 192 bits. |
| Additional Notes | • When using DESede with NoPadding, then data for encryption must be in multiples of 8 bytes. • DESede is supported when symmetric key cache is either enabled or disabled. |
AES_CTR
| Block Size | 16 bytes |
| Padding Schemes | PKCS5Padding NoPadding |
| IV | CTR mode requires 16 characters or 16 HEX encoded characters IV. |
| Key Size (in bits) | 128 (default) 192 256 |
| Additional Notes | • AES_CTR is supported when symmetric key cache is enabled. • By default, AES_CTR is with NoPadding. |
AES_CBC_PAD
| Block Size | 16 bytes |
| Padding Schemes | PKCS5Padding NoPadding |
| IV | CBC mode requires 16 characters or 16 HEX encoded characters IV. |
| Key Size (in bits) | 128 (default) 192 256 |
| Additional Notes | • AES_CBC_PAD is supported when symmetric key cache is either enabled or disabled. • By default, AES_CBC_PAD is with PKCS5Padding. |
Supported Tokenization Algorithms
BDT supports the following tokenization algorithms (supported by CT-VL):
FF1, FF1-luhn
FF3, FPE-luhn
Dates, Random, Random-luhn
Refer to CipherTrust Vaultless Tokenization (CT-VL) for details.
