Managing Protection Policy
Protection policy defines a set of rules that govern the cryptographic operations. The protection policy includes entities such as algorithm, key, and character set.
Protection policy specifications
Supported key types
-
For AES algorithm, both versioned and non-versioned symmetric keys are supported.
-
For FPE algorithms, both versioned and non-versioned symmetric keys are supported.
The key must be marked exportable on the CipherTrust Manager.
Supported algorithms
FPE/AES
-
FPE/AES/CARD10
-
FPE/AES/CARD26
-
FPE/AES/CARD62
-
FPE/AES/UNICODE
FPE/FF1
-
FPE/FF1v2/CARD10
-
FPE/FF1v2/CARD26
-
FPE/FF1v2/CARD62
-
FPE/FF1v2/ASCII
-
FPE/FF1v2/UNICODE
FPE/FF3
-
FPE/FF3/CARD10
-
FPE/FF3/CARD26
-
FPE/FF3/CARD62
-
FPE/FF3/ASCII
-
FPE/FF3/UNICODE
AES
-
AES/CBC/NoPadding
-
AES/CBC/PKCS5Padding
-
AES/ECB/NoPadding
-
AES/ECB/PKCS5Padding
FPE requires minimum two characters from the character set to perform crypto operations.
Supported character set
For FPE, the Application Data Protection supports configurable character sets.
Protection Policy versioning
When the Application Data Protection Admin modifies an existing protection policy, a new protection policy with same name is created. This protection policy contains the updated fields and the incremented version. The active flag of the previous versions is set to false. Following fields can be modified:
-
Algorithm
-
Key
-
Character set
-
Tweak data
-
Initialization vector
If a set of data is already encrypted with a protection policy, ensure to decrypt the data with the same protection policy.
In this article you will learn how to: