Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Planning Encryption

Standard Encryption

search

Please Note:

Standard Encryption

The standard encryption converts the encrypted text to binary. This article cover all the information related to Standard Encryption.

Supported Algorithms for Standard Encryption

  • AES (key sizes of 128, 192, and 256 bits)

  • DES-EDE (key sizes of 112 and 168 bits)

  • SEED (key size of 128 bits)

  • DES (key size of 56 bits)

We recommend that you use an AES key (any size) or a 168-bit DES-EDE key, as these ciphers are stronger than the others. It is also recommended not use DES keys because DES is considered to be a weak cipher.

The size of the plaintext data that can be encrypted is determined by the encryption algorithm used. Refer to Length of the Plaintext Column for details.

Applying Initialization Vectors

When using an algorithm in CBC mode, you may apply an Initialization Vector (IV) at the field-level or at the column-level. When applying IVs at the field-level, a unique IV is used for the encryption of each field. In this case, a new column is added to your table. When you apply IVs at the column-level, there is only one IV per column, and that IV is stored in a separate metadata table.

You might prefer to apply IVs at the field-level if you are encrypting values that might be identical. For example, if you are encrypting names, and two people in the table have the same name, those names encrypt to the same value if you supply the same IV for both encrypt operations. If, however, you supply a different IV for the two encrypt operations, then the encrypt operations yield different results. Doing field-level encryption allows you to achieve an even higher level of security because the IVs are different for every value being encrypted.

However, you should note that applying IVs at the field–level might cause a performance disadvantage when doing an exact search. When you apply IVs at the field–level, you cannot encrypt the search value, which means that you must decrypt all rows you are searching through. If you are encrypting values that you know are unique, like credit card numbers or social security numbers, Thales recommends that you apply IVs at the column–level.

Your options for the IV field of the Column Properties section are as follows:

  • user-specified IV for column – You supply a single IV for an entire column.

  • random IV for column – The CipherTrust Manager provides one randomly generated IV that is used to encrypt all values in a column.

  • random IV for each field – The CipherTrust Manager provides a randomly generated IV for each value in a column. With this option, the CipherTrust Manager adds a column for the IV to the base table.

Padding

The CipherTrust Manager automatically selects a padding scheme before data is migrated. One of two methods are used:

  • PKCS5 Padding – This scheme is used when encrypting with symmetric keys (AES, DES, and ARIA).

  • No Padding – This scheme is used when the column’s data type is CHAR or CHARACTER and the column’s original width is an exact multiple of the encryption block size.

Replacement Values

If a database user attempts to access encrypted data to which they do not have decryption permission, the system returns an error message. You can specify the content of those permission–related errors using the replacement values feature. Refer to Error Replacement for details.

On this page