Your suggested change has been received. Thank you.

Suggest A Change

Thank you! Your suggestion has been submitted.

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

There are some errors in your form.

Your Name This field is required

Your Email This field is required

How can we improve this content? This field is required

Administration
Release Notes

All

All

Advanced Topics

Error Replacement

Please Note:

Administration
Quick Start
Tasks
- Encrypt a column
- Decrypt a column
- Re-encrypt data with new key
- Delete data after encryption or decryption
- Delete views and triggers
- Configure column-level encryption settings
- View job history
- Recreate view and triggers
- Download keys from CipherTrust Manager
- Altering encrypted tables
  - Add unencrypted column
  - Add column to encrypt
  - Delete decrypted column
  - Delete encrypted column
  - Resize unencrypted column
  - Resize an encrypted column
  - Grant/revoke table and column permissions
- Uninstall CDP
- Upgrade CDP
- Configure SSL
Advanced Topics
- Planning Migration
- Encryption Flow
- Key caching
- User Mapping
- Error Replacement
- Database Objects
  - Tables and Views
  - Sequences
  - Procedures
  - User Defined Functions
- Format Preserving Encryption
- Configuration Parameters
- Tips and Best Practices
Troubleshooting and Limitations
FAQs

CDP for Oracle
Administration
Advanced Topics
Error Replacement

Error Replacement

If a database user attempts to access encrypted data to which they do not have decryption permission, the system returns an error message. The content of those permission–related errors can be specified using the replacement values feature.

The replacement value is used only if the user has no decryption permissions. If an error results from the user’s authorization policy (i.e., the decryption request occurs outside the usage period, or exceeds the maximum operations per hour,) the actual error is returned. This is done for two reasons. First, returning a policy violation error acts as an alert of a possible attack. Second, returning this error ensures that the same query always yields the same results. If a query could return either the replacement value or legitimate plaintext, without any way of indicating which was returned, data in the client application could be corrupted.

If users without sufficient permissions access the migrated data, CDP can be configured to return any of the following:

Standard “insufficient permissions” error
NULL value (not the error)
User specified error replacement value
Return encrypted value for FPE encryption

By using the replacement value together with the default user mapping, it can be ensured that all unauthorized database users receive the same message when attempting to access the encrypted data.

Important Notes

A user with select, update, and delete privileges can delete data from a migrated table based on the error replacement values.
Replacement values are not returned if a query yields a NULL value. When a query results in a NULL value, no cryptographic process is required, so the CDP does not interact with the NAE Server and the replacement values feature is not activated.
For large object data types, CDP does not support the user-defined error replacement value. Standard error and Null value replacement are supported.
If the Error Replacement feature is configured, then the Error Replacement Value will be returned only for the unauthorized users.
The Error Replacement feature will not work if the CipherTrust Manager is unreachable.

On this page

CDP for Oracle

© Copyright 2019-2024, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com

Support
- Support Contacts
- Text Conventions
Legal

© Copyright 2019-2024, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com