The FP (Format Preserving) Encryption encodes the original value in the target file with system generated value. This option preserves the format of the data when encryption is done. The data is encrypted in such a way that output is in the same format as the input.
*Note: A policy must be defined when performing encryption or decryption for Files, AWS, Azure, and HDFS. In case of RDBMS, no policy creation is required.
E.g., in the below image, the ‘Andre Hayes’ has been encrypted in the same format that of original one. Similarly, the address and the other detail of an employee is encrypted in such a way that the numeric values are encrypted using numeric data and alpha-characters are encrypted using alpha-characters only. Also, the uppercase letters encrypted with uppercase and lowercase with lowercase one.
Features of FPE Encryption:
This protection option is supported by Char, Varchar and Numeric datatypes.
This encryption can be executed on structured files.
When encrypting the data in a file using FP Encryption, it is necessary to define the domain definition in Domain screen. The key specified in the domain is used for encrypting the data.
Once the domain is defined, the next step is to define the structure of the data in the Structure Management screen. Based on the format of the file, select any of the given option in Structure Management screen. To know more, refer Structure Management in User Guide.
E.g., with the reference to below screenshot, to encrypt the FULL_NAME, CONTACTNUMBER, EMAIL_ADDRESS, ADDR_LINE1 and ADDR_LINE2 using FP Encryption option, follow the below steps for implementing the same.
Create a policy by selecting the FP Encryption protection option next to the sensitive type which you wish to encrypt.
Define a domain before encrypting the data. In this screen, source and destination directories are specified for files that are marked sensitive for Masking or Encryption. Domains are created with the default Java KeyStore that is included with the PK Protect product. To know more, refer Manage Keystore in PK Protect Installation Guide Linux and Manage Keystore in PK Protect Installation Guide Windows.
Mention Domain Name, Description, IDP, FP Encryption Key Password, FP Encryption Salt, and FPM/SL Passphrase.
In case of Files, AWS, Azure, and HDFS, assign the policy to the created/selected domain by selecting that policy and clicking Save Policies to Domain button on the Domain screen.
Now, select the directory from the Selected:<database_directory> drop-down in the bottom panel. Click the Add Directory button to add the directory where the source file is kept. The New Directory panel pops up.
Click Browse button to search for the source directory. The browser panel appears. Navigate to the directory where the file is kept for the encryption. Click Select to select the directory path navigated on this screen, else click Cancel.
On selecting a source directory, the information in the Branch Point and Destination Directory is filled automatically. Select required Domains in the domains drop-down.
If domain is being defined for DBMS, policy is not required. Select DBMS DBs/Tables from the Selected:<database_directory> drop-down in the bottom panel.
Click Add DB/Table button. This will open a slider window which allows you to select the schema and tables where masking needs to be performed.
Select a connection from Select Connection drop-down and domain from the Domains drop-down. This populates the Select Schema/DB panel with all the schemas or databases. selecting the database/schema in turns populate the table panel displaying all the tables which are associated with it.
Select the table by checking the checkbox with table name where masking needs to be applied. Click Add button to add the selected schema and table details in the bottom panel. Click Save button to save the details.
The next step is to define the structure of the data in the Structure Management screen. Structures are used to specify columns that should be masked/encrypted in the tables or objects.
In case of Files, AWS, Azure, and HDFS, define the structure in Add New Structure tab by selecting the structure in Structure Type drop-down after giving appropriate name and description to the structure. Structures are created to recognize a column delimiter, file pattern, and the number of header rows to ignore when encryption process is triggered.
Structures can be added manually or can be imported. Click Browse File button to locate the file that need to be masked. The below panel appears. Select a file and add the details for the Header Rows, update the details of Rows To Sample field and Show Sample Rows drop-down. click Import Columns to import the column structures.
Once the structure details are saved, map the structure to the source directory where it is kept. To map a structure to the source directory, click the + Browse Source Directory button and search for the location of source directory where the file is kept. Select the directory by clicking and click Select button. This will add the selected directory in the left panel of the Map Structure screen. Click Save button and this will map the selected directory with the structure.
Now, push the structure details to the IDP by clicking Push To IDP button in the Actions column under Structure List screen.
This opens a slider window where you need to specify the module and the cluster information where the structure details need to be pushed. Select the module from Select Module drop-down and the cluster, where structure details are being pushed to, from Select Cluster drop-down. Now, click Save to execute the operation else, click Cancel.
In case of RDBMS, define the structure in Add New Structure tab by selecting RDBMS in Structure Type drop-down after giving appropriate name and description to the structure. Structures can be added manually, by browsing columns, or by importing.
Click Browse Columns button to open a slider window. Select the connection where the database is present. This populates the Select Schema/DB panel where we select the schema/database containing the table to be masked. It now populates the Select Table panel where we select the table.
The column names of that table now appear in the Assign Sensitive Data Type panel. Now, assign the sensitive data type to the columns that need to be masked from Select Sensitive Data Type drop-down and then click Save. To know more, refer RDBMS Structure Management in PK Protect User Guide.
Once the structure details are saved, next step is to map the structure. Select RDBMS from the Select Type drop-down. Now, select the structure and connection configured for masking. This displays the list of databases. Select the database where the table to be masked is kept and click Save. To know more, refer Map Structure in PK Protect User Guide.
Once the structure details are pushed to IDP, create a task in the Add New Task Definition screen.
In case of Files, Hadoop, AWS, and Azure, click Add New Task Definition tab and enter the details such as Task Name, Task Description. Select the FP Encryption in the Task Type drop-down.
Select the file or object to include for encryption in the Manage Scan Locations panel by clicking on Select Directories button. On selecting, it displays the structure and the domain to which the selected file or object is associated.
The compliance policy automatically gets selected in the Select Policy panel when a file is selected in the Manage Scan Locations for encryption. The sensitive types associated with the policy are displayed in the Sensitive Data Types panel. Click Save and Execute to save and execute the task.
In case of RDBMS, click Add New Task/Template Definition tab and enter the details such as Task Name, Task Description. Select the connection in the Select Connection panel by checking the checkbox available with the connection name.
Select either Policy-based Masking (Recommended) or Column-based Masking (Advanced). To know more, refer Static Masking in User Guide.
On selecting, Column-based Masking (Advanced) select the required schema and table from the Select Schema/DB and Select Table panel, respectively. This displays the list of columns for the selected table. Now, specify FP Encryption against the column that needs to be masked from the drop-down in the Select Masking column.
The selected column details are shown in the Select Column For Masking panel. Click Save and Execute to save and execute the task.
Once the task has been executed successfully, you can view the encrypted file in the destination location specified in the domain. For the above example, the destination location of the encrypted file is ‘/home/dataguise/Desktop/files/maskOut’.
In the below image, as per the structure defined in the Structure Management screen the columns FULL_NAME, ADDR_LINE1 and ADDR_LINE2 has been encrypted with FP encryption. The columns CONTACTNUMBER and EMAIL_ADDRESS has not been encrypted since the data for these two columns have not been imported, while defining the structure of the file or object.