Administration
CipherTrust Teradata Protection (CTP) enables column-level encryption of Teradata databases. A Teradata database consists of a Parsing Engine (PE) and any number of Access Module Processors (AMPs) that exist on nodes. Nodes are servers that can host multiple virtual AMPs (VAMPs) and, optionally, the Parsing Engine itself.
Below is the Teradata deployment diagram:
A Teradata site consists of one or more nodes. Each Teradata site requires a Key Manager, for example, the CipherTrust Manager (CM).
The following Teradata User Defined Functions (UDFs) must be installed in the Teradata database:
| UDF | Description |
|---|---|
encrypt_cbc() | Encrypts a string provided in Unicode format. |
decrypt_cbc() | Decrypts data that was encrypted using encrypt_cbc() and returns a string in Unicode format. |
encrypt_int() | Encrypts a string provided as an INTEGER datatype. |
decrypt_int() | Decrypts data that was encrypted using encrypt_int() and returns an integer value. |
encrypt_byteint() | Encrypts a string provided as a BYTEINT datatype. |
decrypt_byteint() | Decrypts data that was encrypted using encrypt_byteint() and returns a byteint value. |
encrypt_smallint() | Encrypts a string provided as a SMALLINT datatype. |
decrypt_smallint() | Decrypts data that was encrypted using encrypt_smallint() and returns a smallint value. |
encrypt_date() | Encrypts a string provided as a DATE datatype. |
decrypt_date() | Decrypts data that was encrypted using encrypt_date() and returns a date value. |
encrypt_time() | Encrypts a string provided as a TIME datatype. |
decrypt_time() | Decrypts data that was encrypted using encrypt_time() and returns a time value. |
encrypt_timestamp() | Encrypts a string provided as a TIMESTAMP datatype. |
decrypt_timestamp() | Decrypts data that was encrypted using encrypt_timestamp() and returns a timestamp value. |
encrypt_fpe() | Performs format preserving encryption on a string provided in Unicode format. |
decrypt_fpe() | Decrypts data that was encrypted using encrypt_fpe(). |
encrypt_fpe_int() | Performs format preserving encryption on a string provided as an INTEGER datatype. |
decrypt_fpe_int() | Decrypts data that was encrypted using encrypt_fpe_int(). |
encrypt_fpe_byteint() | Performs format preserving encryption on a string provided as a BYTEINT datatype. |
decrypt_fpe_byteint() | Decrypts data that was encrypted using encrypt_fpe_byteint(). |
encrypt_fpe_smallint() | Performs format preserving encryption on a string provided as a SMALLINT datatype. |
decrypt_fpe_smallint() | Decrypts data that was encrypted using encrypt_fpe_smallint(). |
encrypt_ff1() | Performs format preserving FF1 encryption on a string provided in Unicode format. |
decrypt_ff1() | Decrypts data that was encrypted using encrypt_ff1(). |
encrypt_ff1_int() | Performs format preserving FF1 encryption on a string provided as an INTEGER datatype. |
decrypt_ff1_int() | Decrypts data that was encrypted using encrypt_ff1_int(). |
encrypt_ff1_byteint() | Performs format preserving FF1 encryption on a string provided as a BYTEINT datatype. |
decrypt_ff1_byteint() | Decrypts data that was encrypted using encrypt_ff1_byteint(). |
encrypt_ff1_smallint() | Performs format preserving FF1 encryption on a string provided as SMALLINT datatype. |
decrypt_ff1_smallint() | Decrypts data that was encrypted using encrypt_ff1_smallint(). |
encrypt_string() | Provided for backward compatibility. Encrypts a string provided in Latin characters. |
decrypt_data() | Provided for backward compatibility. Decrypts data that was encrypted using encrypt_string() and returns a string in Latin characters. |
encrypt_char() | Encrypts Latin character sets. Note that this is not compatible with the ciphertext output of encrypt_string() for the given plaintext and key combination. |
decrypt_char() | Decrypts Latin character sets. |
Note
Each Teradata node requires a connection to the Key Manager, for example, the CipherTrust Manager (CM).
CTP Operation
After all the components are installed, you have access to the UDFs that can be used to encrypt and decrypt Teradata database columns. These UDFs can run in the following modes:
Normal Mode
In the Normal Mode, encrypt_cbc(), encrypt_fpe(), encrypt_ff1(), or encrypt_string() sends a cleartext string to the CipherTrust Local Cryptoserver Daemon. The Key Agent obtains a key from the CipherTrust Manager and encrypts the cleartext string. The encrypted string is then returned.
Likewise, decrypt_cbc(), decrypt_fpe(), decrypt_ff1(), or decrypt_data() sends an encrypted text string to the CipherTrust Local Cryptoserver Daemon. The Key Agent obtains the key from the CipherTrust Manager and decrypts the string. The cleartext string is then returned.
Below is the Normal Mode diagram:
Fast Mode
In the Fast Mode, the encryption UDF encrypt_cbc(), encrypt_fpe(), encrypt_ff1(), or encrypt_string() encrypts a cleartext string locally inside the UDF. The encrypted string is then returned.
Likewise, the decryption UDF decrypt_cbc(), decrypt_fpe(), decrypt_ff1(), or decrypt_data() decrypts an encrypted text string locally inside the UDF. The cleartext string is then returned.
Below is the Fast Mode diagram:
Managing User Access Control (Whitelist and Blacklist)
CTP supports coarse-level access control and identity-based access control. Whitelisting and blacklisting CTP users is particularly useful for preventing internal threats to your Teradata database.
To control which users can execute the UDFs, create blacklists and whitelists for the UDFs. Add users to the deny_decrypt.conf blacklist to prevent the specified users from executing decryption UDFs. Add users to the allow_decrypt.conf whitelist to allow only those specific users to execute decryption UDFs. Similar blacklist and whitelist configuration files are available for controlling access to encryption UDFs, namely deny_encrypt.conf and allow_encrypt.conf files.
By whitelisting approved users of the middleware (the business logic), all others, including the Teradata database administrators, are blocked from accessing sensitive data.
Creating Profiles for Invoking UDFs
To streamline the invocation of the encrypt_cbc(), decrypt_cbc(), encrypt_fpe(), decrypt_fpe(), encrypt_ff1(), and decrypt_ff1() UDFs, CTP uses the profiles.conf file. This file contains named profiles that include several values required as input to these UDFs. Provide the profile name as a parameter when invoking the UDF. The UDF looks up the profile name and uses the parameters that are grouped under that profile name.
Note
Profiles are not supported for the encrypt_string(), decrypt_data(), encrypt_char(), and decrypt_char() UDFs.
Components
This section describes the components of CipherTrust Data Security Platform (CDSP) that are relevant to Application Encryption.
CipherTrust Manager
Use a key manager as a policy engine and a central key and policy manager. CTP supports the CipherTrust Manager (CM) as the key manager. The key manager stores and manages host encryption keys, data access policies, administrative domains, and administrator profiles.
Key Agent
The CipherTrust Key Agent provides a library that implements the PKCS#11 interface. This library is a dynamically loadable library (dll) on Windows and a shared object (so) on Linux and UNIX. The Key Agent's PKCS#11 library communicates over a secure channel to the key manager for all significant functionality.
CipherTrust Local Cryptoserver Daemon
In the Normal Mode, CipherTrust Local Cryptoserver Daemon accepts requests from the UDFs, forwards them to the CipherTrust Key Agent for processing, and returns the Key Agent output to the respective UDF.
