Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Advanced Topics

Concepts

search

Please Note:

Concepts

Application

An application, configured on the CipherTrust Manager, contains the necessary settings that are required to protect/reveal data. Refer to Managing Application for details.

DPG policy

DPG policy is a set of rules that determines when and how to protect/reveal sensitive data moving through DPG. DPG can protect/reveal any data that is transferred through a REST API call in JSON format. The sensitive data is specified by its location in JSON or in URL parameters. DPG allows you to configure on which data the cryptographic operations are to be performed in each REST method (POST, GET, PUT, PATCH, DELETE). Protection of the sensitive data is governed by the Protection Policy associated with the DPG policy. DPG policy is created at the time of configuring an Applications.

Protection policy

Protection policy defines a set of rules that govern the cryptographic operation. The protection policy includes entities such as algorithm, key, IV, access policy name, and character set. Refer to Protection Policy Functionalities for details.

Access policy

Access policies contain set of rules that govern how the decrypted data will be revealed based on the user. Each access policy has a default reveal format for any " user" that is not part of any user set. Access policy can act differently for different users sets. Refer to Managing Access Policy for details.

User set

A user set is a collection of users that you want to grant or deny access to reveal data. User sets are configured in access policies. Policies can be applied to user sets, not to individual users. Refer to Managing User Set for details.

Dynamic Masking

Creates masking format for the reveal operation. Dynamic masking format determines how the output of the reveal operation is displayed to the application users. Refer to Masking Format for details.

Heartbeat

Heartbeat is a lightweight mechanism that allows DPG to poll the CipherTrust Manager for any change in policies and/or configurations. Refer to Heartbeat Configuration for details.

Note

The time on both the client and server machines must be synchronized. To achieve this, NTP (Network Time Protocol) should be configured. Follow instructions to set up NTP

Behavior of DPG when heartbeat timeout count is reached

If the count of the continuous skipped heartbeat becomes equivalent to the value of Heartbeat Timeout Count parameter, the DPG client enters a revoked state after a maximum of 5 minutes. At this point, its liveness and health probes become false. In this scenario, DPG does not transform data. This safeguard ensures the crypto operations are not performed when the container’s state is unhealthy and unrecoverable.

Behavior of DPG when client gets deleted, revoked, or expired

If a client gets deleted, revoked or expired on Key Manager, the liveness and health probes become false. In this scenario, DPG does not transform data. This safeguard ensures the crypto operations are not performed when the container’s state is unhealthy and unrecoverable.

Key caching

The key caching feature allows DPG to securely cache a copy of the in-use key that it received from the CipherTrust Manager and store it for a limited time to perform cryptographic operations locally. Keys cached on DPG are stored in secured process memory only; they are not stored on disk. Only keys that are marked exportable can be cached.

See the Key Cache Expiry parameter configured while defining the DPG application.

On this page