Please Note:

Administration
Quick Start
Alternative Deployments
- CT-VL Deployment Prerequisites
- Installing CT-VL as a Virtual Machine on VMware vSphere
- Installing CT-VL on Bare Metal
- Installing CT-VL on AWS Cloud
- Installing CT-VL on Azure Cloud
- Installing CT-VL on Azure Stack Hub
- Installing CT-VL on Hyper-V
- Installing CT-VL on KVM
- Installing CT-VL on Google Cloud Platform
- Installing CT-VL on Alibaba Cloud
- Running CT-VL on Oracle Cloud Infrastructure
Tasks
- Configuring CT-VL through the Command Line
- Registering CT-VL VM with CipherTrust Manager
- Configuring CT-VL Nodes
- Configuring an AD/LDAP Server
- Configuring ADFS and LDAP for OAuth
- Configuring LDAP Settings.ini File
- Working with CT-VL GUI
- Dashboard API Monitoring
- Administrator History Logs
- Backing Up and Restoring CT-VL
- Migrating from CT-VL Lower Versions to 2.9.0
- Monitoring Through SNMP
Examples
- Cryptographic Operation Examples
- Key Management Examples
- Versioned Key Management Examples
- Tokenization Examples
Advanced Topics
- CT-VL CLI Reference
- CT-VL Services
- CT-VL Key Cache
- Key Types and Input Sizes
- Creating Static and Dynamic Keys
- Tokenization Groups, Templates, and Masks
- Understanding CT-VL Authentication and Authorization
- CT-VL CLI Navigation Summary and Guidelines
- Tokenization Setup Workflow in CT-VL GUI
- CT-VL Tokenization REST APIs
- CT-VL Cryptographic REST APIs
- CT-VL Admin REST APIs
- CT-VL with Multiple Key Managers
Troubleshooting

CT-VL
Administration
Advanced Topics
CT-VL Services

CT-VL Services

CipherTrust Vaultless Tokenization (CT-VL) is a platform-independent appliance (virtual machine or bare-metal) that offers REST-API services to protect sensitive data.

CT-VL Core Services

CT-VL offers the following service category for handling sensitive data:

Tokenization service: Tokenization is frequently used for sensitive data such as credit card numbers, social security numbers, drivers licenses, or other personally identifiable information (PII). Data masking can be applied to any detokenized data to hide sections of the data from different groups of users.

For example, less-privileged database users can view only the last four digits of a detokenized credit card number, while a more privileged user can view the entire card number.

The CipherTrust Tokenization REST APIs are used to integrate this functionality into a developer’s application.

Cryptographic Services: CT-VL can be used to protect sensitive data using encryption. It can be used to encrypt, decrypt, sign, verify, and hash a data. These operations can be associated to specific keys and user permissions. CT-VL uses the CM to store the keys for encryption.

Components in a CT-VL Deployment

CT-VL deployment consists of the following components:

CipherTrust Vaultless Tokenization Server
CipherTrust Manager (CM)
LDAP/Active Directory Server (optional)
Remote Logging Server (optional)
Load Balancer (optional)
SNMP Server (optional)

Tokenization

Replaces sensitive data in databases with tokens. This reduces the number of places in which plain text credit card numbers reside, and thus reduces the scope of complying with the Payment Card Industry Data Security Standard (PCI DSS) and corporate security policies.
Preserves the format of data in a way that reduces the operational impact associated with encryption and other obfuscation techniques. For example, you can tokenize a credit card field in a database, yet keep the tokenized information in a format that is compatible with associated applications.
Enables outsourcing application testing and running analytics without giving access to sensitive assets because the format of the data has been preserved. To outsource, you can create a copy of the production database and give that copy to the outsourced development team.
Creates strong separation of duties between privileged administrators and data owners. In this way, IT administrators, such as hypervisor, cloud, storage, and system administrators can perform their tasks without access to the sensitive data residing on those systems.
Enables dynamic data masking to establish varying levels of data redaction for different database users. For example, you can enable customer service personnel to access the last four digits of a customer’s credit card number, while an accounts payable representative can access the full credit card number.
Integrates tokenization users with existing LDAP-based identity directories. Security teams can efficiently set granular tokenization policies for specific users and groups.
Provides high-performance cryptographic operations to protect sensitive data: encrypt, decrypt, sign, and verify. CT-VL allows batch encryption and decryption of data in bulk to achieve high performance.
Provides an alternate way of managing keys on the CM.

Cryptographic Services

CT-VL supports two types of keys:

Symmetric
Asymmetric

Each type of key uses different algorithms and can be used for different actions. User permissions to encrypt, decrypt, sign, verify, or hash (digest) must be associated to particular keys.

Supported Algorithms with CM

Encryption and Decryption Algorithms

RSA - RSA encryption and decryption for 1024, 2048, and 4096-bit keys
A128CBC/A256CBC - AES 128 and 256-bit with CBC cipher
A128CBCPAD/A256CBCPAD - AES 128 and 256-bit with CBC cipher with padding
A128ECB/A256ECB - AES 128 and 256-bit with ECB cipher
AES-CTR and AES-GCM algorithms

Sign and Verify Algorithms

RSA - RSA sign and verify for 1024, 2048, and 4096-bit keys
HS224 - HMAC-SHA224 sign and verify
HS256 - HMAC-SHA256 sign and verify
HS384 - HMAC-SHA384 sign and verify
HS512 - HMAC-SHA512 sign and verify

Cryptographic Hash (Digest) Algorithms

S224 - SHA224 cryptographic hash
S256 - SHA256 cryptographic hash
S384 - SHA384 cryptographic hash
S512 - SHA512 cryptographic hash

CT-VL Services

CT-VL Core Services

Components in a CT-VL Deployment

Tokenization

Cryptographic Services

Supported Algorithms with CM

Encryption and Decryption Algorithms

Sign and Verify Algorithms

Cryptographic Hash (Digest) Algorithms

On this page

Suggest A Change