Managing Protection Policy
Protection policy defines a set of rules that govern the cryptographic operations. The protection policy includes entities such as algorithm, key, and character set.
Protection policy specifications
Supported key types
For AES algorithm, both versioned and non-versioned symmetric keys are supported.
For FPE algorithms, both versioned and non-versioned symmetric keys are supported.
The key must be marked exportable on the CipherTrust Manager.
Supported algorithms
FPE/AES
FPE/AES/CARD10
FPE/AES/CARD26
FPE/AES/CARD62
FPE/AES/UNICODE
FPE/FF1
FPE/FF1v2/CARD10
FPE/FF1v2/CARD26
FPE/FF1v2/CARD62
FPE/FF1v2/ASCII
FPE/FF1v2/UNICODE
FPE/FF3
FPE/FF3/CARD10
FPE/FF3/CARD26
FPE/FF3/CARD62
FPE/FF3/ASCII
FPE/FF3/UNICODE
AES
AES/CBC/NoPadding
AES/CBC/PKCS5Padding
AES/ECB/NoPadding
AES/ECB/PKCS5Padding
FPE requires minimumtwo characters from the character set to perform crypto operations.
Supported character set
For FPE, the Application Data Protection supports configurable character sets.
Protection Policy versioning
When the Application Data Protection Admin modifies an existing protection policy, a new protection policy with same name is created. This protection policy contains the updated fields and the incremented version. The active flag of the previous versions is set to false. Following fields can be modified:
Algorithm
Key
Character set
Tweak data
Initialization vector
If a set of data is already encrypted with a protection policy, ensure to decrypt the data with the same protection policy.
In this article you will learn how to: