Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Administration

search

Please Note:

Administration

Overview

CipherTrust Vaultless Tokenization (CT-VL) is a platform-independent appliance (virtual machine or bare-metal) that offers REST-API services to protect sensitive data. CT-VL offers three service categories for protecting sensitive data:

  • Tokenization Service: Tokenization is used for replacing sensitive data with tokenized, or encrypted, data. Tokenized data retains the format of the original data while protecting it from theft or compromise. For example, if a company accepts customer credit card numbers, those numbers can be tokenized and stored as random-looking numbers, then detokenized by an employee or application with the proper permissions.

    Tokenization is frequently used for sensitive data such as credit card numbers, social security numbers, drivers licenses, or other personally identifiable information (PII). Data masking can be applied to any detokenized data to hide sections of the data from different groups of users. For example, less-privileged database users might view only the last four digits of a detokenized credit card number, while a more privileged user could view the entire card number.

    CT-VL uses the CipherTrust Manager (CM) to store the AES keys to tokenize and detokenize sensitive data.

  • Cryptographic Services: CT-VL can be used to protect sensitive data using encryption. It can be used to encrypt, decrypt, sign, and verify data which can be tied to specific keys and user permissions. CT-VL uses the CipherTrust Manager (CM) to store the keys for encryption.

  • Key Management Services: CT-VL can be used to manage keys stored on the CM. It can create, modify, search, import, export, and many other operations, keys on the CM.

All the services above are available as REST-APIs which can be used to integrate into the end-user's application.

To achieve high performance and reliability (in the form of redundancy), multiple CT-VL appliances (virtual machines) can be configured to form a cluster. The cluster can operate as one coherent CT-VL system that could be served by a load balancer.

CT-VL can run as a virtual machine and is supported on many hypervisors and cloud platforms, namely, VMware vSphere, Kernel-based Virtual Machine (KVM), HyperV, Amazon Web Services (AWS), Microsoft Azure Marketplace, and Google Cloud Platform (GCP).

CT-VL can also run on a physical machine (bare-metal). The software product is available in ISO format installable on bare metal machines. All settings applicable to a virtual machine are also applicable to the physical machine.

Note

CipherTrust Vaultless Tokenization (CT-VL), formerly known as Vormetric Tokenization Server (VTS) and CipherTrust Tokenization Server (CTS), has been renamed to conform with several other former Thales Vormetric products adopting the brand name CipherTrust.

Interfaces

CT-VL has three forms of user-interface:

  • Command-Line Interface (CLI): This interface is available using the SSH protocol. It is used by the administrators to install, configure, and maintain the CT-VL virtual machine and cluster.

  • Web User Interface: This interface is used by the administrators to manage users, groups, keys, policies (templates), permissions, data masking, and other administrative functions used for tokenization.

  • REST API: This interface is used for tokenization, cryptographic, and key management operations. Administrative operations are also available using REST APIs. These APIs are also documented in YAML files located under Documentation in the CT-VL Administration WebUI.

Component Architecture

Multiple CT-VL appliances can be set up to form a cluster to achieve high performance and availability. CT-VL in a cluster uses bi-directional replication to synchronize data across all virtual machines. In addition, CT-VL supports connection to multiple CMs in a cluster to achieve high availability for key access.

  • A minimum of two CT-VL nodes in a cluster is recommended for redundancy.

  • A maximum of 16 nodes are supported.

  • A load balancer can be used to achieve higher performance by using multiple virtual machines and automatically distributing the load across all nodes in the cluster.

Below is the CT-VL architecture diagram:

Authentication and Authorization

CT-VL requires a CM to obtain the keys to tokenize and encrypt sensitive data. Keys used are not persistent and never stored on the CT-VL virtual machine. It only caches keys in memory for a brief period to achieve high performance.

In addition to locally created users and groups, CT-VL can also use a Windows AD or LDAP server to authenticate users performing tokenization, encryption, and key management. They can be used for identity management to map users and groups for tokenization policies (templates), encryption policies, and key management access.

Moreover, CT-VL supports client-certificate identity and authentication.

Refer to Understanding CT-VL Authentication and Authorization for further information.

Supported Tokenization Algorithms

CT-VL supports the following tokenization algorithms:

  • FF3

  • FPE-luhn

  • Dates

  • Random

  • Random-luhn

  • FF1

  • FF1-luhn

Supported Character Sets

CT-VL supports the following character sets for tokenization:

  • Numeric

  • Alphanumeric

  • Printable ASCII

  • Custom character sets

Supported Cryptographic Operations

CT-VL supports the following cryptographic operations:

  • Encrypt

  • Decrypt

  • Sign

  • Verify

Supported Tokenization Operations

CT-VL supports the following tokenization operations:

  • Tokenize

  • Detokenize

Supported Key Operations

CT-VL supports the following key operations:

  • Create

  • Import

  • Destroy

  • Modify

  • Find

  • Export

On this page