Your suggested change has been received. Thank you.

close
Thales Logo

All

  • All
  • CipherTrust Manager
  • CipherTrust Application Data Protection (CADP)
  • CipherTrust Application Key Management (CAKM)
  • CipherTrust Batch Data Transformation (BDT)
  • CipherTrust Cloud Key Management (CCKM)
  • CipherTrust Data Discovery and Classification (DDC)
  • CipherTrust Data Protection Gateway (DPG)
  • CipherTrust Database Protection (CDP)
  • CipherTrust Intelligent Protection (CIP)
  • CipherTrust Integrations
  • CipherTrust Migrations
  • CipherTrust RESTful Data Protection (CRDP)
  • CipherTrust Transparent Encryption (CTE)
  • CipherTrust Transparent Encryption Userspace (CTE-U)
  • CipherTrust Secrets Management (CSM)
  • CipherTrust Vaulted Tokenization (CT-V)
  • CipherTrust Vaultless Tokenization (CT-VL)
  • CTE-Linux
  • CTE-Windows
  • CTE-AIX
  • CTE-K8s
  • CTE-U
  • Crypto Command Center
  • Data Protection on Demand
  • Luna Cloud HSM
  • Luna Network HSM
  • Luna PCIe HSM
  • Luna USB HSM
  • OneWelcome Identity Platform
  • ProtectApp LUKS
  • ProtectServer 2 HSM
  • ProtectServer 3 HSM
  • SafeNet Trusted Access (STA)
  • SafeNet MobilePASS+
  • SafeNet MobilePASS+ for Android
  • SafeNet MobilePASS+ for Chrome
  • SafeNet MobilePASS+ for macOS
  • SafeNet MobilePASS+ for iOS
  • SafeNet MobilePASS+ for WatchOS
  • SafeNet MobilePASS+ for Windows
  • SafeNet Synchronization Agent
  • SafeNet Logging Agent
  • SafeNet Agent for FreeRADIUS
  • SafeNet Agent for NPS
  • SafeNet Agent for Windows Logon
  • SafeNet Authentication Service Private Cloud Edition (SAS PCE)
  • SafeNet Remote Logging Agent
  • SafeNet Keycloak Agent
  • SafeNet IDPrime Virtual (IDPV)
  • SafeNet FIDO Key Manager
  • SafeNet FIDO Key Manager for Android
  • SafeNet FIDO Key Manager for iOS
  • SafeNet FIDO Key Manager for Windows
back

Tasks

Decrypt a column

search

Please Note:

printsuggest an edit

Decrypt a column

When you decrypt a column:

  1. The column containing the ciphertext is copied to a temporary table along with the identity column and the IV column if there is one.

  2. The ciphertext is sent to the pdbctl utility along with the IV for decryption.

  3. The pdbctl utility returns the plaintext data to the database, and the plaintext is inserted into the original column. Remember that when the data was originally encrypted, another column was created and the original column was set to NULL after deleting the old data.

  4. After the plaintext data is inserted into the column, any new columns that were created during the migration are dropped. These might include the column that held the ciphertext, the IV column, and the identity column.

Important Notes

  • Although decryption restores the plaintext data and drops the columns created during data encryption, it does not restore any constraints lost during encryption. If you want to return a database to its true pre-migration state, restore a backup.

  • The Database User Login that you specified while configuring the database connection to CipherTrust Manager must be mapped to the owner of the key that was used for encryption/key rotation. If this is not the case, the decryption stops with an error.

  • When data is encrypted using a versioned key, the resulting ciphertext contains information in its header indicating which version of the key was used. This header is 3-byte long. During decryption or verification process, the pdbctl utility parses this information and applies the correct key version. There is no need to specify the key version. While using versioned keys, to decrypt the data, at least one version of the key must be Active. If the version of the key is retired key, an exception is thrown.

copy link to clipboardPrerequisite

The pdbctl utility is installed. Refer to the pdbctl utility documentation for details.

copy link to clipboardSteps

To unencrypt columns of a table, run the following command:

./pdbctl unmigrate <col1 col2 ...> -a <database_alias> -t <table_name>

copy link to clipboardFlags description

The following table describes the flags and parameters associated with this command:

FlagData TypeDescription
-bintBatch size to be unmigrated. The value must be an integer. This is an optional parameter.
Default values:
> 1 - For large data types
> 1000 - For other data types.
-astringDatabase alias associated with the database user.
-hFlag to view help for unmigrate command.
-tstringTable name to be decrypted.
--verbosePrint verbose logs.

Note

  • When performing unencryption of large data types with batch size > 1, the following message is displayed:
    Unencrypting large datatype column(s) with batch size greater than 1 fails if it contains any data greater than 3936.

  • Continue only if the data length is ≤ 3936, otherwise, use the default batch size.

copy link to clipboardExample

The following sample command decrypts the column CITY in the table CUSTOMERS associated with alias demo:

./pdbctl unmigrate -a demo -t CUSTOMERS CITY

The output shows the status of the operation:

Processing...
: Job Id 135 |
Status :success

To check the encryption parameters for the columns in the table CUSTOMERS, use the listcolumns command.

./pdbctl listcolumns -a demo -t CUSTOMERS

The output is:

---------------------------------------------------------------
Column name: CUSTOMER_ID
Column type: NUMBER
Column width: 10
Column key: aes256
Column Algorithm: AES
Column Migrated: false
Column IV: 8D74E7CC0E659F2D8A8BC417750856FE
---------------------------------------------------------------

Tip

After decrypting a table, it is recommended to remove the un-needed ciphertext. Refer to Delete data after encryption/decryption for details.

On this page