Encryption Flow
Encrypting a column involves following phases:
Pre-encryption phase
In this phase, the system:
Adds an empty column (
column_NEW
) to hold encrypted values to the base table.Adds a column (
ING_ROW_ID
) and fills unique value for each row in this column.Note
This step could take several minutes depending on the number of rows in the table.
Adds an empty column (
column_IV
) to hold initialization vectors to the base table, if applying IVs at the field level.Creates views to select data from the table.
Creates triggers to insert and update data in the table.
Encryption phase
In this phase, the system:
CipherTrust Manager or pdbctl utility converts column plaintext value to ciphertext.
Returns encrypted values to the
column_NEW
column in the base table.If the column-level IV is applied, then sets the initialization vectors to the
column_IV
column.
After the encrypted data is returned to the base table, the pdbctl utility creates the views and triggers that will automate future encryption and decryption operations. These views and triggers use stored procedures to interact with the SafeNet KeySecure behind the scenes to perform cryptographic operations on the base table without explicit instructions from the database user. Authenticated applications outside the database can query and update the tables as before, without any modification.