Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Advanced Topics

Upgrade DPG

search

Please Note:

Upgrade DPG

This article describes the upgrade/migration options available from previous releases to DPG 1.3.

Steps

  1. Pull the docker image for version 1.3.0.

  2. Edit the values.yaml file.

  3. Deploy the new version of the Helm Chart as shown below:

        helm upgrade <helm-chart-name> <path-of-helm-chart> -n <namespace>

Technical Notes

Change in protection policy version header

In DPG 1.3, there is a major change in how the protection policy version header details are returned to the user. The version header field can be configured from the CipherTrust Manager interfaces (UI and REST). DPG supports:

  • Disable versioning: Restricts the policy from being updated. only Version 0 of a key will be used to protect/reveal data. When this option is used, only ciphertext is returned.

  • Internal version header: The version bytes are prepended to the ciphertext.

  • External version header: The version bytes are returned in a separate field. This field is configurable while creating an application on the CipherTrust Manager.

These topics are described in the Managing Protection Policy section.

The following tabs show the difference between the version header handling in DPG 1.2 and 1.3.

Both versioned and non-versioned keys are supported.

  • For protection policy with non-versioned key, a 6-digit fixed length is reserved for protection policy. For example, 200010 + Ciphertext.

  • For protection policy with versioned key, first 6-digit is reserved for protection policy, the next 6-digit is reserved for the key version followed by the ciphertext. For example, 200010 + 100010 + Ciphertext.

A 7-digit length (1 001 000) is reserved for the version bytes. The first digit of the version header always starts with 1 and represents the decision bit. The next three digits (001) are preserved for the protection policy version. The last three digits (000) are allocated for key version followed by the ciphertext. The permissible version header range is - 1001000 - 1999999.

Note

A maximum of 999 protection policy versions and 999 key versions are allowed.

Use cases

  • Initially, when a protection policy is created, the version header starts with 1001000.

  • If only protection policy is updated, the version header gets updated to 1002000.

  • If both protection policy and key are updated, the version header gets updated to 1002001.

Caution

Keys with the latest versions are fetched from the CipherTrust Manager after the Symmetric_Key_Cache_Expiry interval has passed. Retrieval of the latest key versions is independent of the heartbeat interval.

Key permissions

Starting DPG 1.3, the key used in the protection policy must be added to the Application Data Protection Clients Group with Read, Encrypt, Decrypt, and Export permissions.

Support for Rest Interface

Unlike DPG 1.2, DPG 1.3 uses the REST interface to fetch keys form the CipherTrust Manager.

On this page