Skip to main content

AES Encryption

The AES (Advanced Encryption Standard) Encryption option protects the confidential information. This encryption uses the symmetric block cipher to encrypt the sensitive data. To encrypt the data, specify the key in the domain definition. Using this key, the data will be encrypted in the target database.   

Features of AES Encryption:

  1. This protection option supports by both the Char and Varchar datatypes.

  2. The minimum length of the column should be greater than or equal to the length of the encrypted string.

Formula for calculating the length of AES encrypted string uses the plain text:

Enc_text_length = ((4*((length(plain_text)/16+1)*16)/3)+3)&`3

Plain text Min Length

Plain text Max Length

Encrypted String Length

1

15

24

16

31

44

32

47

64

 

The problem with the AES Encryption is that it masks each value with 30 – 40 characters string, due to which it is impossible to implement it in the databases or files.

*Note: To implement AES Encryption in Files, HDFS, Azure, and AWS, it is necessary to create a policy in Policy screen. In case of RDBMS, no policy creation is required.

E.g., with reference to the below image, to encrypt the Telephone using AES Encryption option, follow the below steps for implementing the same.

  1. Create a policy by selecting the AES Encryption protection option next to the sensitive type which you wish to encrypt.


  2. Define a domain before encoding the file. In the Domain screen, specify the source and destination directories for files that are marked as sensitive for Masking or Encryption. Domains are created with the default Java KeyStore that is included with the PK Protect.


    Mention Domain Name, Description, FP Encryption Key Password, IDP, FP Encryption Salt and FPM/SL Passphrase.


    1. In case of Files, AWS, Azure, and HDFS, assign the policy to the created/selected domain by selecting that policy and clicking Save Policies to Domain button on the Domain screen.


      Now, select the directory from the Selected:<database_directory> drop-down in the bottom panel. Click the Add Directory button to add the directory where the source file is kept.



      Click Browse button to search for the source directory. The browser panel appears. Navigate to the directory where the file is kept for the encryption. Click Select to select the directory path navigated on this screen, else click Cancel.

    2. If domain is being defined for DBMS, policy is not required. Select DBMS DBs/Tables from the Selected:<database_directory> drop-down in the bottom panel.


      Click Add DB/Table button. This will open a slider window which allows you to select the schema and tables where masking needs to be performed.

      Select a connection from Select Connection drop-down and  domain from the Domains drop-down. This populates the Select Schema/DB panel with all the schemas or databases. selecting the database/schema in turns populate the table panel  displaying all the tables which are associated with it.

      Select the table by checking the checkbox with table name where masking needs to be applied. Click Add button to add the selected schema and table details in the bottom panel. Click Save button to save the details.


  3. The next step is to define the structure of the data in the Structure screen. Structures are used to specify columns that should be masked/encrypted in the files/tables. To know more, refer Structure Management in User Guide.

    *Note: The Unstructured masking is applicable only for CSV and Text filetypes. For other file types, such as ORC, RC, AVRO, Parquet, and Sequence, it is mandatory to define the structure.

    1. In case of Files, AWS, Azure, and HDFS, define the structure in Add New Structure tab by selecting the structure in Structure Type drop-down after giving appropriate name and description to the structure. Structures are created to recognize a column delimiter, file pattern, and the number of header rows to ignore when the encryption process is triggered.


      Structures can be added manually or can be imported. Click Browse File button to locate the file that need to be masked. The below panel appears. Select a file and add the details for the Header Rows, update the details of Rows To Sample field and Show Sample Rows drop-down. Click Import Columns to import the column structures.


      Once the structure details are saved, map the structure to the source directory where it is kept. To map a structure to the source directory, click the + Browse Source Directory button and search for the location of source directory where the file is kept. Select the directory by clicking and click Select button. This will add the selected directory in the left panel of the Map Structure screen. Click Save button and this will map the selected directory with the structure.


      Now, push the structure details to the IDP by clicking Push To IDP button in the Actions column under Structure List screen.


      This opens a slider window where you need to specify the module and the cluster information where the structure details need to be pushed. Select the module from Select Module drop-down and the cluster, where structure details are being pushed to, from Select Cluster drop-down. Now, click Save to execute the operation else, click Cancel.

    2. In case of RDBMS, define the structure in Add New Structure tab by selecting RDBMS in Structure Type drop-down after giving appropriate name and description to the structure. Structures can be added manually, by browsing columns, or by importing.


      Click Browse Columns button to open a slider window. Select the connection where the database is present. This populates the Select Schema/DB panel where we select the schema/database containing the table to be masked. It now populates the Select Table panel where we select the table.

      The column names of that table now appear in the Assign Sensitive Data Type panel. Now, assign the sensitive data type to the columns that need to be masked from Select Sensitive Data Type drop-down and then click Save. To know more, refer Structure Management in RDBMS.


      Once the structure details are saved, next step is to map the structure. Select RDBMS from the Select Type drop-down. Now, select the structure and connection configured for masking. This displays the list of databases. Select the database where the table to be masked is kept and click Save. To know more, refer Map Structure.

  4. Once the structure details are pushed to IDP, create a task in the Add New Task Definition screen.

    1. In case of Files, HDFS, AWS, and Azure, click Add New task Definition tab and enter the details such as Task Name, Task Description. Select the Masking/Field Encryption in the Task Type drop-down.


      Select the file or object to include for encryption in the Manage Scan Locations panel by clicking on Select Directories button. On selecting, it displays the structure and the domain to which the selected file or object is associated.

      The compliance policy automatically gets selected in the Select Policy panel when a file is selected in the Manage Scan Locations for encryption. The sensitive types associated with the policy are displayed in the Sensitive Data Types panel. Click Save and Execute to save and execute the task.

    2. In case of RDBMS, click Add New Task/Template Definition tab and enter the details such as Task Name, Task Description. Select the connection in the Select Connection panel by checking the checkbox available with the connection name.

      Select either Policy-based Masking (Recommended) or Column-based Masking (Advanced). To know more, refer Static Masking User Guide.

      On selecting Column-based Masking (Advanced), select the required schema and table from the Select Schema/DB and Select Table panel, respectively. This displays the list of columns for the selected table. Now, specify AES Encryption against the column that needs to be masked from the drop-down in the Select Masking column.

      The selected column details are shown in the Select Column For Masking panel. Click Save and Execute to save and execute the task.


Once the task has been executed successfully, you can view the encrypted file in the destination location specified in the domain. For the above example, the destination location of the encrypted file is ‘/home/dataguise/Desktop/files/maskOut’.

In the below image, the column Telephone has been encrypted with AES Encryption. The remaining columns Emp_fname, Emp_lname, etc. has not been encrypted. Since we have not applied AES Encryption next to those sensitive types while creating a policy.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.