Configure encryption properties on column
You need to select a table and configure its desired column(s) for encryption. Columns to be encrypted are to be configured separately. The pdbctl utility supports:
Note
To modify the existing parameters for the encrypted column, you have to set the encryption configuration for the column again. It overrides the previously configured encryption parameters (only if the migration is not done after setting the encryption parameters). You may also unset the configuration of the column using the command unsetencinfo.
Configure encryption properties for standard encryption
To configure a column for standard encryption, run the following command:
./pdbctl setencinfo -a <algorithm> -c <column_name> -d <database_alias> -k <key_name> -m <mode> -t <table_name>
Flags description
The following table describes the flags and parameters associated with this command:
| Flag | Data Type | Parameter | Description |
|---|---|---|---|
| -i | string | IV | value IV value for the column to be encrypted. This is an optional parameter. |
| -a | string | Algorithm | Encryption algorithm. Possible values are: AES, SEED, ARIA, and DESede. |
| -c | string | Column name | Column name to be encrypted. |
| -d | string | Database alias | Database alias associated with the database user. |
| -h | Flag to view help for the setencinfo. | ||
| -k | string | Key | Key generated on Key Manager to encrypt the column. Note: The Key Manager user associated with the database alias must have encryption permission on the key. |
| -m | string | Encryption mode | Encryption mode. Possible values are: ECB and CBC. Thales recommends CBC mode for stronger encryption. |
| -t | string | Table name | Table name that contains the column to encrypt. |
| -- verbose | Print verbose logs. |
Example
The following sample command sets the encryption parameters for the column CUSTOMER_ID in the table CUSTOMERS associated with alias demo:
Note
For ARIA, SEED, and TDES, column encryption properties can be only set through pdbctl as a command line utility and cannot be set through CipherTrust Manager UI.
For AES
./pdbctl setencinfo -a AES -c CUSTOMER_ID -m CBC -d demo -k aes256 -t CUSTOMERS
For SEED
./pdbctl setencinfo -a SEED -c AGE -m CBC -d demo -k seed128 -t CUSTOMERS -i F1528F158680CB600F2DB8736F6C5FCD
Note
Ensure pdbctl classes folder has the bcprov-jdk18on-1.78.jar file to avoid any error while configuring columns for encryption.
For ARIA
./pdbctl setencinfo -a ARIA -c NAME -m CBC -d demo -k aria256 -t CUSTOMERS -i F1528F158680CB600F2DB8736F6C5FCD
For TDES
./pdbctl setencinfo -a DESede -c DOB -m CBC -d demo -k tdes192 -t CUSTOMERS -i F1528F158680CB60
To check the encryption parameters set for the columns in the table CUSTOMERS, use the listcolumns command.
./pdbctl listcolumns -a demo -t CUSTOMERS
Sample Output
---------------------------------------------------------------
Column name: CUSTOMER_ID
Column type: NUMBER
Column width: 10
Column key: aes256
Column Algorithm: AES
Column Migrated: false
Column IV: 8D74E7CC0E659F2D8A8BC417750856FE
---------------------------------------------------------------
---------------------------------------------------------------
Column name: NAME
Column type: CHAR
Column width: 20
Column key: aria256
Column Algorithm: ARIA
Column Migrated: false
Column IV: F1528F158680CB600F2DB8736F6C5FCD
---------------------------------------------------------------
---------------------------------------------------------------
Column name: DOB
Column type: DATE
Column width: 10
Column key: tdes192
Column Algorithm: DESede
Column Migrated: false
Column IV: F1528F158680CB60
---------------------------------------------------------------
---------------------------------------------------------------
Column name: AGE
Column type: INTEGER
Column width: 10
Column key: seed128
Column Algorithm: SEED
Column Migrated: false
Column IV: F1528F158680CB600F2DB8736F6C5FCD
---------------------------------------------------------------
Configure encryption properties for FPE
To configure a column for FPE, run the following command:
./pdbctl setencinfofpe -a <algorithm> -c <column_name> -d <database_alias> -k <key_name> -m <cardinality> -f <fpe_format> -t <table_name>
Flags description
The following table describes the flags and parameters associated with this command:
| Flag | Data Type | Parameter | Description |
|---|---|---|---|
| -i | string | IV value | IV value for the column to be encrypted. This is an optional parameter. |
| -a | string | Algorithm | Encryption algorithm. Possible value: AES. |
| -c | string | Column name | Column name to be encrypted. |
| -d | string | Database alias | Database alias associated with the database user. |
| -h | Flag to view help for setencinfo. | ||
| -k | string | Key | Key generated on Key Manager to encrypt the column. Note: The Key Manager user associated with the database alias must have encryption permission on the key. |
| -m | string | Cardinality | Cardinality CARD10 or CARD62 as per the data to be migrated. > For CARD10, the length of the numeric part in the input data should be greater than one. > CARD62 is supported in local mode. |
| -f | string | FPE format | FPE format to be applied on the input plaintext to be migrated. The same format should be used during decryption of the ciphertext. The possible formats are: > FIRST_SIX > FIRST_SIX_LAST_FOUR > FIRST_TWO_LAST_FOUR > LAST_FOUR > None |
| -t | string | Table name | Table name that contains the column to encrypt. |
| -w | string | Tweak algorithm | Tweak algorithm. Possible values are: > NONE (default value) > SHA1 > SHA256 Note: This flag is applicable when NONE is entered in the FPE format flag -f. |
| --verbose | Print verbose logs. |
