Tips and Best Practices

TLSv1.2 must be used for communication with Key Manager and database.

In cases where Java environment available with database do not support TLSv1.2 for establishing secure communication, then enable only the strongest possible SSL Ciphers on the Key manager to use TLSv1.2.

It is recommended that input data should have minimum two characters when using FPE encryption in remote mode.

It is recommended to use keys with stronger ciphers, such as AES.

It is recommended to apply IVs at the column-level.

It is recommended to use the Delete Old Data button after performing crypto operations.

Thales strongly discourages from manually modifying any of the metadata tables associated with CDP.

It is recommended to use CBC mode in case of standard encryption.

It is recommended not to use global keys for encryption/decryption.

User specified passwords, such as Client_Cert_Passphrase and Key_Store_Password should not be used as cryptographic keys.

It is recommended to obfuscate any password before using it.