Configure column-level encryption settings
You need to select a table and configure its desired column(s) for encryption. Columns to be encrypted are to be configured separately. You can use any of the following options to configure column-level encryption properties:
CipherTrust Manager UI. Refer to Managing Tables to for details.
You can configure column-level encryption for:
Note
To modify the existing set parameters for the column encryption, you have to set the encryption configuration for the column again. It overrides the previously set encryption parameters (only if the migration is not done after setting the encryption parameters). You may also unset the configuration of the column using the command unsetencinfo.
Configure encryption properties for standard encryption
Prerequisite
The pdbctl utility is installed.
Steps
To configure a column for standard encryption, run the following command:
./pdbctl setencinfo -a <algorithm> -c <column_name> -d <database_alias> -k <key_name> -m <mode> -t <table_name>
Flags description
The following table describes the flags and parameters associated with this command:
| Flag | Data Type | Parameter | Description |
|---|---|---|---|
| -i | string | IV | value IV value for the column to be encrypted. This is an optional parameter. |
| -a | string | Algorithm | Encryption algorithm. Possible values are: AES-128, AES-192, and AES-256. |
| -c | string | Column name | Column name to be encrypted. |
| -d | string | Database alias | Database alias associated with the database user. |
| -h | Flag to view help for setencinfo. | ||
| -k | string | Key | Key generated on Key Manager to encrypt the column. Note: The Key Manager user associated with the database alias must have encryption permission on the key. |
| -m | string | Encryption mode | Encryption mode. Possible values are: ECB and CBC. Thales recommends CBC mode for stronger encryption. |
| -t | string | Table name | Table name that contains the column to encrypt. |
| -- verbose | Print verbose logs. |
Example
The following sample command sets the encryption parameters for the column CUSTOMER_ID in the table CUSTOMERS associated with alias demo:
./pdbctl setencinfo -a AES -c CUSTOMER_ID -m CBC -d demo -k aes256 -t CUSTOMERS
To set encryption parameters for column CUSTOMER_NAME and CITY, execute the following commands one by one.
./pdbctl setencinfo -a AES -c CUSTOMER_NAME -m CBC -d demo -k aes256 -t CUSTOMERS
./pdbctl setencinfo -a AES -c CITY -m CBC -d demo -k aes256 -t CUSTOMERS
To check the encryption parameters set for the columns in the table CUSTOMERS, use the listcolumns command.
./pdbctl listcolumns -a demo -t CUSTOMERS
The output is:
---------------------------------------------------------------
Column name: CUSTOMER_ID
Column type: NUMBER
Column width: 10
Column key: aes256
Column Algorithm: AES
Column Migrated: false
Column IV: 8D74E7CC0E659F2D8A8BC417750856FE
---------------------------------------------------------------
---------------------------------------------------------------
Column name: CUSTOMER_NAME
Column type: VARCHAR2
Column width: 50
Column key: aes256
Column Algorithm: AES
Column Migrated: false
Column IV: F1CCC60627D622C0535466C0BD1F9856
---------------------------------------------------------------
---------------------------------------------------------------
Column name: CITY
Column type: VARCHAR2
Column width: 50
Column key: aes256
Column Algorithm: AES
Column Migrated: false
Column IV: 4AAC53CB10E5E344F39686B0EC53AA34
---------------------------------------------------------------
Configure encryption properties for FPE
Prerequisite
The pdbctl utility is installed.
Steps
To configure a column for FPE, run the following command:
./pdbctl setencinfofpe -a <algorithm> -c <column_name> -d <database_alias> -k <key_name> -m <cardinality> -f <fpe_format> -t <table_name>
Flags description
The following table describes the flags and parameters associated with this command:
| Flag | Data Type | Parameter | Description |
|---|---|---|---|
| -i | string | IV value | IV value for the column to be encrypted. This is an optional parameter. |
| -a | string | Algorithm | Encryption algorithm. Possible values are: AES-128, AES-192, and AES-256. |
| -c | string | Column name | Column name to be encrypted. |
| -d | string | Database alias | Database alias associated with the database user. |
| -h | Flag to view help for setencinfo. | ||
| -k | string | Key | Key generated on Key Manager to encrypt the column. Note: The Key Manager user associated with the database alias must have encryption permission on the key. |
| -m | string | Cardinality | Cardinality CARD10 or CARD62 as per the data to be migrated. > For CARD10, the length of the numeric part in the input data should be greater than one. > CARD62 is supported in local mode. |
| -f | string | FPE format | FPE format to be applied on the input plaintext to be migrated. The same format should be used during decryption of the ciphertext. The possible formats are: > FIRST_SIX > FIRST_SIX_LAST_FOUR > FIRST_TWO_LAST_FOUR > LAST_FOUR > None |
| -t | string | Table name | Table name that contains the column to encrypt. |
| -w | string | Tweak algorithm | Tweak algorithm. Possible values are: > NONE (default value) > SHA1 > SHA256 Note: This flag is applicable when NONE is entered in the FPE format flag -f. |
| --verbose | Print verbose logs. |
