Your suggested change has been received. Thank you.

close
Thales Logo

All

  • All
  • CipherTrust Manager
  • CipherTrust Application Data Protection (CADP)
  • CipherTrust Application Key Management (CAKM)
  • CipherTrust Batch Data Transformation (BDT)
  • CipherTrust Cloud Key Management (CCKM)
  • CipherTrust Data Discovery and Classification (DDC)
  • CipherTrust Data Protection Gateway (DPG)
  • CipherTrust Database Protection (CDP)
  • CipherTrust Intelligent Protection (CIP)
  • CipherTrust Integrations
  • CipherTrust Migrations
  • CipherTrust RESTful Data Protection (CRDP)
  • CipherTrust Transparent Encryption (CTE)
  • CipherTrust Transparent Encryption Userspace (CTE-U)
  • CipherTrust Secrets Management (CSM)
  • CipherTrust Vaulted Tokenization (CT-V)
  • CipherTrust Vaultless Tokenization (CT-VL)
  • CTE-Linux
  • CTE-Windows
  • CTE-AIX
  • CTE-K8s
  • CTE-U
  • Crypto Command Center
  • Data Protection on Demand
  • Luna Cloud HSM
  • Luna Network HSM
  • Luna PCIe HSM
  • Luna USB HSM
  • OneWelcome Identity Platform
  • ProtectApp LUKS
  • ProtectServer 2 HSM
  • ProtectServer 3 HSM
  • SafeNet Trusted Access (STA)
  • SafeNet MobilePASS+
  • SafeNet MobilePASS+ for Android
  • SafeNet MobilePASS+ for Chrome
  • SafeNet MobilePASS+ for macOS
  • SafeNet MobilePASS+ for iOS
  • SafeNet MobilePASS+ for WatchOS
  • SafeNet MobilePASS+ for Windows
  • SafeNet Synchronization Agent
  • SafeNet Logging Agent
  • SafeNet Agent for FreeRADIUS
  • SafeNet Agent for NPS
  • SafeNet Agent for Windows Logon
  • SafeNet Authentication Service Private Cloud Edition (SAS PCE)
  • SafeNet Remote Logging Agent
  • SafeNet Keycloak Agent
  • SafeNet IDPrime Virtual (IDPV)
  • SafeNet FIDO Key Manager
  • SafeNet FIDO Key Manager for Android
  • SafeNet FIDO Key Manager for iOS
  • SafeNet FIDO Key Manager for Windows
back

Tasks

Configure column-level encryption settings

search

Please Note:

printsuggest an edit

Configure column-level encryption settings

You need to select a table and configure its desired column(s) for encryption. Columns to be encrypted are to be configured separately. You can use any of the following options to configure column-level encryption properties:

Note

To modify the existing set parameters for the column encryption, you have to set the encryption configuration for the column again. It overrides the previously set encryption parameters (only if the migration is not done after setting the encryption parameters). You may also unset the configuration of the column using the command unsetencinfo.

copy link to clipboardConfigure encryption properties for standard encryption

copy link to clipboardPrerequisite

The pdbctl utility is installed. Refer to the pdbctl utility documentation for details.

copy link to clipboardSteps

To configure a column for standard encryption, run the following command:

./pdbctl setencinfo -a <algorithm> -c <column_name> -d <database_alias> -k <key_name> -m <mode> -t <table_name>

copy link to clipboardFlags description

The following table describes the flags and parameters associated with this command:

FlagData TypeParameterDescription
-istringIVvalue IV value for the column to be encrypted. This is an optional parameter.
-astringAlgorithmEncryption algorithm. Possible values are: AES-128, AES-192, and AES-256.
-cstringColumn nameColumn name to be encrypted.
-dstringDatabase aliasDatabase alias associated with the database user.
-hFlag to view help for setencinfo.
-kstringKeyKey generated on Key Manager to encrypt the column.
Note: The Key Manager user associated with the database alias must have encryption permission on the key.
-mstringEncryption modeEncryption mode. Possible values are: ECB and CBC.
Thales recommends CBC mode for stronger encryption.
-tstringTable nameTable name that contains the column to encrypt.
-- verbosePrint verbose logs.

copy link to clipboardExample

The following sample command sets the encryption parameters for the column CUSTOMER_ID in the table CUSTOMERS associated with alias demo:

./pdbctl setencinfo -a AES -c CUSTOMER_ID -m CBC -d demo -k aes256 -t CUSTOMERS

To set encryption parameters for column CUSTOMER_NAME and CITY, execute the following commands one by one.

./pdbctl setencinfo -a AES -c CUSTOMER_NAME -m CBC -d demo -k aes256 -t CUSTOMERS

./pdbctl setencinfo -a AES -c CITY -m CBC -d demo -k aes256 -t CUSTOMERS

To check the encryption parameters set for the columns in the table CUSTOMERS, use the listcolumns command.

./pdbctl listcolumns -a demo -t CUSTOMERS

The output is:

---------------------------------------------------------------
Column name: CUSTOMER_ID
Column type: NUMBER
Column width: 10
Column key: aes256
Column Algorithm: AES
Column Migrated: false
Column IV: 8D74E7CC0E659F2D8A8BC417750856FE
---------------------------------------------------------------
---------------------------------------------------------------
Column name: CUSTOMER_NAME
Column type: VARCHAR2
Column width: 50
Column key: aes256
Column Algorithm: AES
Column Migrated: false
Column IV: F1CCC60627D622C0535466C0BD1F9856
---------------------------------------------------------------
---------------------------------------------------------------
Column name: CITY
Column type: VARCHAR2
Column width: 50
Column key: aes256
Column Algorithm: AES
Column Migrated: false
Column IV: 4AAC53CB10E5E344F39686B0EC53AA34
---------------------------------------------------------------

copy link to clipboardConfigure encryption properties for FPE

copy link to clipboardPrerequisite

The pdbctl utility is installed. Refer to the pdbctl utility documentation for details.

copy link to clipboardSteps

To configure a column for FPE, run the following command:

./pdbctl setencinfofpe -a <algorithm> -c <column_name> -d <database_alias> -k <key_name> -m <cardinality> -f <fpe_format> -t <table_name>

copy link to clipboardFlags description

The following table describes the flags and parameters associated with this command:

FlagData TypeParameterDescription
-istringIV valueIV value for the column to be encrypted. This is an optional parameter.
-astringAlgorithmEncryption algorithm. Possible values are: AES-128, AES-192, and AES-256.
-cstringColumn nameColumn name to be encrypted.
-dstringDatabase aliasDatabase alias associated with the database user.
-hFlag to view help for setencinfofpe.
-kstringKeyKey generated on Key Manager to encrypt the column.
Note: The Key Manager user associated with the database alias must have encryption permission on the key.
-mstringCardinalityCardinality CARD10 or CARD62 as per the data to be migrated.
> For CARD10, the length of the numeric part in the input data should be greater than one.
Note: CARD62 is not supported in DB2.
-fstringFPE formatFPE format to be applied on the input plaintext to be migrated.
Note: FPE formats are not supported in DB2, specify the value of this flag as NONE.
-tstringTable nameTable name that contains the column to encrypt.
-wstringTweak algorithmTweak algorithm. Possible values are:
> NONE (default value)
> SHA1
> SHA256
Note: This flag is applicable when NONE is entered in the FPE format flag -f.
--verbosePrint verbose logs.

On this page