Your suggested change has been received. Thank you.

Suggest A Change

Thank you! Your suggestion has been submitted.

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

There are some errors in your form.

Your Name This field is required

Your Email This field is required

How can we improve this content? This field is required

Administration
Release Notes

All

All

Advanced Topics

Encryption Flow

Please Note:

Administration
Quick Start
Additional Deployment Methods
- Install CDP on a SQL Server node configured with availability group
- Install multiple meta-databases on a single SQL instance
- Install CDP on a passive machine in a SQL Server cluster
  - Install CDP on a passive machine in a SQL Server cluster
  - Manually install CDP on a passive node in SQL Server cluster
Tasks
- Encrypt a column
- Decrypt a column
- Re-encrypt data with new key
- Configure column-level encryption settings
- Set encryption parameters for multiple columns
- Delete data after encryption or decryption
- Delete views and triggers
- Recreate view and triggers
- Altering encrypted tables
  - Add unencrypted column
  - Add column to encrypt
  - Delete decrypted column
  - Delete encrypted column
  - Resize unencrypted column
  - Resize an encrypted column
  - Grant/revoke table and column permissions
- Upgrade CDP
  - Upgrade CDP in clustered environment
  - Upgrade a standalone CDP
- Uninstall CDP
- Upgrade database version
- Obscure Password
- View job history
- Export keys from CipherTrust Manager
- Fast search on encrypted data
- Map database user or role to CipherTrust Manager user
- Configure SSL connection
Advanced Topics
- Planning Encryption
  - Standard Encryption
  - Format Preserving Encryption
- Encryption Flow
- Key caching
- Configuration Parameters
  - Network Configuration Parameters
  - Connection Configuration Parameters
  - Local Encryption Configuration Parameters
  - Logging Parameters
  - SSL Configuration Parameters
  - SQL Server Specific Configuration Parameters
- Tables and Views
- Database Objects
  - UDFs for Non-FPE
    - How to call direct UDFs for non-FPE algorithms
  - UDFs for FPE
    - How to call direct UDFs for FPE algorithms
- Sample for setting encryption parameters for multiple columns
- User Mapping
- Error Replacement
- Limitations
Tips and Best Practices
Troubleshooting
FAQs

CDP for MSSQL
Administration
Advanced Topics
Encryption Flow

Encryption Flow

Encrypting a column involves following phases:

Pre-encryption phase

In this phase, the system:

Adds an empty column, column_NEW to hold encrypted values to the base table.
Adds an identity column (if does not already exist) and fills unique value for each row in this column.
Note
This step could take several minutes depending on the number of rows in the table.
Adds an empty column, column_IV to hold initialization vectors to the base table, if you are applying IVs at the field level.
Creates views to select data from the table.
Creates triggers to insert plaintext and ciphertext into the table.

Encryption phase

In this phase, the system:

CipherTrust Manager or pdbctl utility converts column plaintext value to ciphertext.
Saves the encrypted values to the column_NEW column in the base table.
If the column-level IV is applied, then sets the initialization vectors to the column_IV column.

After the encrypted data is saved to the base table, the pdbctl utility creates the views and triggers that will automate future encryption and decryption operations. These views and triggers use stored procedures to interact with the CipherTrust Manager behind the scenes to perform cryptographic operations on the base table without explicit instructions from the database user. Authenticated applications outside the database can query and update the tables as before, without any modification.

On this page

CDP for MSSQL

© Copyright 2019-2025, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com

Support
- Support Contacts
- Text Conventions
Legal

© Copyright 2019-2025, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com