Please Note:

Administration
Quick Start
DPG Workflow
Alternative Deployment Methods
- Deploy DPG in Kubernetes Environment (without Helm Chart)
- Deploy DPG as a Standalone Container
How to Run a Demo
- Create Policies, Configurations, Registration Token through REST API from API Playground
Advanced Topics
- Concepts
- Environment Variables
- Audit Logging
- Upgrade DPG
Tasks
- Change Key Manager
- Change the Application Server
- Fetch logs
- Enable TLS between Client and DPG
- Configure Authentication Scheme
- Manually renew client certificate
- Monitoring DPG health
Troubleshooting

CipherTrust DPG
Administration
Advanced Topics
Concepts

Concepts

Application

An application, configured on the CipherTrust Manager, contains the necessary configurations that are required to describe the REST API endpoint of an application and how to protect data. It also contains the configuration parameters for DPG. The application includes:

Name: friendly label to describe the application to be protected.
Settings: configuration parameters required to initialize and configure DPG associated to an application.
Settings include:
- SSL configuration: allows you to configure the CA (Certificate Authority).
- CSR: allows you to configure parameters required to create or renew client certificates.
- Logging: where you can select the appropriate logging level.
- Connection configuration: parameters that allow you to set timeout values and a few other parameters.
- Local encryption: parameter to set key cache expiry.

DPG policy

DPG policy is a set of rules that determines when and how to protect/reveal sensitive data moving through DPG. DPG can protect/reveal any data that is transferred through a REST API call in JSON format. The sensitive data is specified by its location in JSON or in URL parameters. DPG allows you to configure on which data the cryptographic operations are to be performed in each REST method (POST, GET, PUT, PATCH, DELETE). Protection of the sensitive data is governed by the Protection Policy associated with the DPG policy. DPG policy is created at the time of configuring an Applications.

Protection policy

Protection policy defines a set of rules that govern the cryptographic operation. The protection policy includes entities such as algorithm, key, IV, access policy name, and character set. Refer to Managing Protection Policy for details.

Access policy

Access policies contain set of rules that govern how the decrypted data will be revealed based on the user. Each access policy has a default reveal format for any " user" that is not part of any user set. Access policy can act differently for different users sets. Refer to Managing Access Policy for details.

User set

A user set is a collection of users that you want to grant or deny access to reveal data. User sets are configured in access policies. Policies can be applied to user sets, not to individual users. Refer to Managing User Set for details.

Heartbeat

Heartbeat is a lightweight mechanism that allows DPG to poll the CipherTrust Manager for any change in policies and/or configurations. Refer to Heartbeat Configuration for details.

Key caching

The key caching feature allows DPG to securely cache a copy of the in-use key that it received from the CipherTrust Manager , and store it for a limited time to perform cryptographic operations locally. Keys cached on DPG are stored in secured process memory only; they are not stored on disk. Only keys that are marked exportable can be cached.

Suggest A Change

Concepts

Application

DPG policy

Protection policy

Access policy

User set

Heartbeat

Key caching

On this page