Standard Encryption
The standard encryption converts the plaintext to encrypted data without retaining the format of the plaintext.
Supported Algorithms for Standard Encryption
AES (key sizes of 128, 192, and 256 bits)
DES-EDE (key sizes of 128 and 192 bits)
SEED (key sizes of 128 bits)
ARIA (key sizes of 128, 192, and 256 bits)
It is recommended to use an 256 bit AES key or a 192 bit DES-EDE key, as these ciphers are stronger than the others.
The chosen encryption algorithm limits the size of the plaintext data that can be encrypted. Refer to Length of the Plaintext Column for details.
Applying Initialization Vectors
When using an algorithm in CBC mode, an Initialization Vector (IV) can be applied at the field–level or at the column–level. When applying IVs at the field–level, a unique IV is used for the encryption of each field. In this case, a new column is added to the table. When IV is applied at the column–level, there is only one IV per column, and that IV is stored in a separate metadata table.
It is preferable to apply IVs at the field–level if encrypting values that might be identical. For example, when encrypting names, if two people in the table have the same name, those names encrypt to the same value if the same IV is applied for both encrypt operations. If, however, a different IV is applied for the two encrypt operations, then the encrypt operations yield different results. Field-level encryption offers an even higher level of security because the IVs are different for every value being encrypted.
However, be aware that applying IVs at the field–level might cause a significant performance disadvantage when doing an exact search. When IVs are applied at the field–level, the search value can’t be encrypted, which means that all rows being searching through must be decrypted. When encrypting values that are unique, like credit card numbers or social security numbers, it is recommended that IVs are applied at the column–level.
Options for the IV field of the Column Properties section are as follows:
user-specified IV for column – Supply a single IV for an entire column.
random IV for column – The NAE Server provides one randomly generated IV that is used to encrypt all values in a column.
random IV for each field – The NAE Server provides a randomly generated IV for each value in a column. With this option, the Key Manager adds a column for the IV to the base table.
Padding
The CipherTrust Manager automatically selects a padding scheme before data is migrated. One of two methods are used:
PKCS#5 Padding – This scheme is almost always used when encrypting with symmetric keys (AES, DES-EDE, and ARIA).
No Padding – This scheme is used when the column’s data type is CHAR or CHARACTER and the column’s original width is an exact multiple of the encryption block size.
Replacement Values
If a database user attempts to access encrypted data to which they do not have decryption permission, the system returns an error message. The content of those permission-related errors can be specified using the replacement values feature. Refer to Error Replacement for details. Use the Decryption Behavior for Users with Insufficient Permissions field on the Column Properties section to specify that the system return a specific value, a null value, or the original standard error.
Replacement vales are not returned if a query yields a NULL value. When a query results in a NULL value, no cryptographic process is required, so SafeNet ProtectDB does not interact with the NAE Server and the replacement values feature is not activated.
After setting up the error replacement value, views and triggers must be recreated for the changes to take effect.
Space Requirements Considerations
Consider the following things when allotting space for an encrypted solution:
Algorithm to use to encrypt data
Whether to use field–level or column–level IVs
Whether the table needs an identity column