Please Note:

Administration
CipherTrust Manager Administration
- CipherTrust Manager Release Model
- Supported Upgrade Paths
- Authentication
  - Authentication Settings for NAE, KMIP, Web, and Preboot Interfaces
  - Users
  - Certificate Based Authentication for Users
  - Managing Your Own User Account Settings
  - Authentication Tokens
  - Client Management
  - Authenticating to the REST API
- Attribute-based Access Control Permissions for Resources
  - Backup
  - Certificate Authority
  - Client Management
  - Cluster
  - Keys
  - Connection Managers
  - Proxies & Allowed Proxies
  - DNS Hosts
  - Domains
  - Groups & Groupmaps
  - Interfaces
  - Connections
  - Logs
  - Log Forwarders
  - Quorum
  - Records
  - Users
  - Scheduler
  - Servers
  - SNMP
  - Policies
  - Migrations
  - Licensing
  - HSM
  - Miscellaneous
  - Network
  - ProtectApp
  - Secrets
- Password Policy
- Key Policies
- Changing Passwords
- Domain Management
- Groups
- Group Mapping
- Services
- Root of Trust Hardware Security Module
- Clusters and Nodes
- CipherTrust Manager System Monitoring
  - Records
  - Alarms
  - Syslogs
  - Debug Logs
  - Log Forwarding
  - Prometheus Metrics Endpoint
- Policies
- Banners
- Basic Interface Configuration
- Proxy Configuration
- Quorums
- SNMP
- SMTP
- Backups
- Scheduling Backups
- Disk Encryption After Initial Deployment
- Scheduler
- Connection Manager
  - Connections
  - Labels in Connection Manager
  - AWS
  - Google
  - Secure Copy Protocols (SCP/SFTP)
  - Azure
  - Hadoop Knox
  - Loki
  - Salesforce
  - Luna Network HSM
  - Elasticsearch
  - SAP Data Custodian
  - CIFS/SMB
  - Syslog
  - Oracle Cloud Infrastructure
  - DSM Connection
  - OIDC
  - LDAP
  - Attestation Authority Connection
  - CM Connection/External CM
    - Managing CM Connections using GUI
    - Configuring CM Connections using ksctl
      - Managing External CM Server Connections using ksctl
      - Managing CM Connections using ksctl
  - Akeyless Gateway
- Browsing LDAP Users and Groups
- System Upgrade/Downgrade
- Configuring DNS Hosts
- CLI Toolkit
  - CLI Toolkit Installation
  - Batching Commands with Tokens
  - Example CLI User Set Up
  - Support CLI
- Keys
- Key Rotation
- Crypto Operations
- MKEK Rotation
- Certificate Authority
- System Info
- System Properties
- Network Diagnostics
- Integrating Logging with Splunk App
- Return Material Authorization (RMA) Guidance
- Secrets Management
- Reports
- Key Templates
- Managing public SSH keys for ksadmin
Application Data Protection
- Interfaces
- Managing DPG Configurations
  - Managing DPG Applications
- Managing CRDP Configurations
  - Managing CRDP Applications
- Managing CDP for Teradata VantageCloud Lake Configurations
  - Managing CDP for Teradata VCL Applications
- Managing CADP for Java Configurations
  - Managing CADP for Java Applications
- Managing BDT Configurations
  - Managing BDT Applications
  - Managing Data Sources
  - Managing Job Configuration
    - Running Job from Application
    - Running Job from Job Configuration
  - Job Status
- Managing CAKM Configurations
  - Managing CAKM Database Instances
  - Managing CAKM for Oracle TDE Applications
- Managing Character Sets
  - Creating character set
  - Deleting character set
- Managing User Sets
  - Viewing user sets
  - Creating user sets
  - Deleting user sets
- Managing Masking Formats
  - Viewing masking format
  - Creating masking formats
  - Deleting masking format
  - Modifying masking format
- Managing Access Policy
  - Viewing access policy
  - Creating access policy
  - Modifying access policy
  - Deleting access policy
- Managing Protection Policy
  - Viewing protection policy
  - Creating protection policy
  - Modifying protection policy
  - Deleting protection policy
  - Protection Policy Versioning
  - IV for FPE/AES
  - Key States
  - Tweak algorithm and tweak data compatibility details
  - Random Nonce
  - Irreversible Token
  - Handle small input value
  - Random2
  - DATEv3
- Tasks
  - How to delete stale clients
  - View updated status of clients
  - Auto Renewal of Client Certificates
  - Fetch Latest Data from CipherTrust Manager
- Heartbeat Configuration
- Single Pane of Glass
- Access Control for Keys
Batch Data Transformation (BDT)
- Protection Profiles
- BDT Policies
- BDT Containers
CipherTrust Cloud Key Manager (CCKM)
- Overview
- AWS Resources
  - Managing AWS Accounts
  - Managing AWS Keys
  - Scheduling Operations
  - Managing AWS Reports
  - Managing Policies
  - Managing AWS Templates
  - Migrating to IAM Roles Anywhere Connections
  - Downloading AWS Metadata
- AWS CloudHSM Key Store Resources
  - Managing an AWS CloudHSM Key Store from CCKM
- AWS External Key Store Resources
  - Managing External Key Store Resources
  - AWS XKS Performance Summary
- Microsoft Azure Resources
  - Prerequisites
    - Prerequisites for Azure Cloud
    - Prerequisites for Azure Stack Cloud with Azure AD
    - Prerequisites for Azure Stack Cloud with Azure ADFS
  - Managing Azure Vaults
  - Managing Azure Keys
  - Managing Azure Certificates
  - Managing Azure Key Templates
  - Managing Azure Secrets
  - Scheduling Operations
  - Managing Azure Reports
  - Viewing Azure Subscriptions
  - Performance Summary
  - Allowing AD Users to Manage Azure Vaults
  - Configuring Connection to Azure Using Private Link
  - Downloading Azure Metadata
- Microsoft Double Key Encryption (DKE) Resources
  - Managing DKE Endpoints
  - Managing DKE Authorized Tenants
  - Microsoft DKE service performance summary
- External CipherTrust Resources
  - Managing External CipherTrust Domains
  - Managing External CipherTrust Keys
- DSM Resources
  - Managing DSM Domains
  - Managing DSM Keys
  - Scheduling Operations
- Google Cloud Resources
  - Google Cloud Projects
  - Google Cloud Key Rings
  - Google Cloud Keys
  - Google Cloud Reports
  - Scheduling Operations
  - Downloading Google Metadata
  - Performance Summary
- Google Cloud External Key Manager Resources
  - Managing Google EKM Endpoints
  - Managing Google EKM Endpoint Policies
  - Google EKM Performance Summary
  - Managing Google EKM Cryptospaces
  - Managing Google EKM Cryptospace Endpoints
- Google Workspace CSE Resources
  - Access Policies
  - High Level Architecture
  - Licensing
  - Prerequisites
  - Communication with KACLS
  - CSE Guest Access Support for Google Meet and Google Drive
  - Google CSE support for Google's end-to-end encrypted email
  - Clustering for Google Workspace
  - Encrypting Data Encryption Keys
  - Decrypting Data Encryption Keys
  - Endpoints
  - Identity Providers
  - Viewing Google Workspace CSE Records
  - Performance Summary
    - Google Calendar
    - Google Drive
    - Google Meet
    - Gmail
- Key Material Export and Upload
- Luna HSM Resources
  - Managing Luna HSM Partitions
  - Managing Luna HSM Keys
  - Scheduling Operations
- Oracle Cloud Resources
  - Managing Oracle Vaults
  - Managing Oracle Keys
  - Managing Oracle Tenancies
  - Scheduling Operations
  - Managing Oracle Reports
  - Managing Oracle Compartments
  - Downloading Oracle Metadata
- OCI External Resources
  - Managing Identity Providers
  - Managing External Vaults
  - Managing External Keys
  - OCI EKMS Performance Summary
- SAP Resources
  - Managing SAP Groups
  - Managing SAP Keys
  - Scheduling Operations
  - Managing SAP Reports
  - Viewing Linked SAP Applications
  - Performance Summary
  - Downloading SAP Metadata
- SAP HYOK Resources
  - Licensing
  - SAP HYOK endpoints
  - SAP HYOK keystores
  - Scheduling Operations
- Salesforce Resources
  - Managing Salesforce Organizations
  - Managing Salesforce Tenant Secrets
  - Scheduling Operations
  - Managing Salesforce Reports
  - Managing Salesforce Cache-Only Key Endpoints
  - Managing Certificates from Salesforce Organizations
- Migrate from CCKM Appliance
- Backup and Restore
CipherTrust Data Protection (CDP)
- Interfaces
- Concepts
- Configuring Oracle Databases
- Configuring DB2 Databases
- Configuring SQL Server Databases
- Configuring Teradata Databases
- Tasks
  - View Job History
  - Delete Views and Triggers
  - Create Views and Trigger
  - Delete Old Data
  - Create Domain Index
  - Encrypt a Column
  - Decrypt a Column
  - Configure Migration Server
- SSL Connection Over JDBC
  - SSL Connection Over JDBC for Oracle
  - SSL Connection Over JDBC for DB2
- Troubleshooting
CipherTrust Transparent Encryption UserSpace (CTE UserSpace)
- Overview
- Interfaces
- Concepts
- Data Transformation
- Managing Profiles
- Managing Clients
  - Client Settings
  - Changing Client Password
  - Managing Membership
  - Deleting Clients
  - Collecting Agent Information
  - Fetching Latest Capabilities from Clients
- Managing Client Groups
- Managing Signature Sets
- Managing Policies
  - Creating Policy Elements
  - Viewing Policy Elements
  - Creating Policies
  - Modifying Policies and Rules
- Managing GuardPoints
  - Considerations Before Creating GuardPoints
  - Creating GuardPoints
    - Creating Standard GuardPoints
  - Automatic and Manual GuardPoints
  - Viewing GuardPoints
  - Viewing GuardPoint Status
  - Removing GuardPoints
  - Disabling GuardPoints
  - Enabling GuardPoints
- Sharing Resources Across Domains
- Multifactor Authentication
- Communication with CipherTrust Manager
- Communication Workflow with CipherTrust Manager Behind a Load Balancer
- Configuring Cluster Node Preference
- Backup and Restore
- Integrating CTE Logging with Splunk
- Permissions
- Quorum Control
- Confidential Computing
- Load Balancer
- Operations
- Certificate Renewal
- Common Scenarios
- Reports
  - Clients Health Report
  - Clients Keys Report
  - Clients Profiles Report
  - Clients Policies Report
  - Policies Keys Report
  - GuardPoints Report
  - Clients GuardPoint Status Report
- Troubleshooting
- API Examples
  - Creating Keys
  - Creating Policy Elements
  - Creating Policies
  - Creating GuardPoints
- API Response Codes
- How to Configure the External CA for CTE
- How to Change Local CA or External CA for CTE
CipherTrust Transparent Encryption (CTE)
- Overview
- Interfaces
- Concepts
- Data Transformation
- Managing Profiles
- Managing Clients
  - Enabling Live Data Transformation
  - Setting Client Locks
  - Client Settings
  - CTE Linux Authentication and Client Settings
  - Changing Client Password
  - Managing Membership
  - Deleting Clients
  - Kernel Compatibility Matrix
  - Collecting Agent Information
  - Fetching Latest Capabilities from Clients
- Managing LDT Communication Groups
- Managing Client Groups
- Managing Signature Sets
- Managing Policies
  - Creating Policy Elements
  - Viewing Policy Elements
  - Creating Policies
  - Modifying Policies and Rules
  - Managing FAM Policies and Rules
- Managing GuardPoints
  - Secure Start GuardPoints
  - Considerations Before Creating GuardPoints
  - Creating GuardPoints
    - Creating Standard GuardPoints
    - Creating LDT GuardPoints
    - Creating Cloud Object Storage GuardPoints
    - Creating IDT GuardPoints
    - Creating Ransomware Protection GuardPoints
  - Enabling Secure Start for GuardPoints
  - Protecting Teradata Appliances
  - Automatic and Manual GuardPoints
  - Viewing GuardPoints
  - Viewing GuardPoint Status
  - Changing Designated Primary Set Connection
  - Changing SMB Connection
  - Removing GuardPoints
  - Disabling GuardPoints
  - Enabling GuardPoints
  - Enabling and Disabling MFA on GuardPoints
- Managing Storage Groups, Registration Groups, and Clients in Kubernetes
  - Managing Kubernetes Storage Groups
  - Managing Kubernetes Registration Groups
  - Managing Kubernetes Clients
  - Protecting Kubernetes Clients
  - Collecting Kubernetes Agent Information
- Sharing Resources Across Domains
- Multifactor Authentication
- Communication with CipherTrust Manager
- Communication Workflow with CipherTrust Manager Behind a Load Balancer
- Configuring Cluster Node Preference
- Backup and Restore
- Integrating CTE Logging with Splunk
- Migrating CTE Configuration from Data Security Manager
- Migration Summary
- Permissions
- Quorum Control
- Confidential Computing
- Ransomware Protection
- File Activity Monitoring (FAM)
- Unique to Client Keys
- Load Balancer
- Operations
- Certificate Renewal
- Common Scenarios
- Reports
  - Clients Health Report
  - Clients Keys Report
  - Clients Profiles Report
  - Clients Policies Report
  - Policies Keys Report
  - GuardPoints Report
  - Clients GuardPoint Status Report
- Troubleshooting
- API Examples
  - Creating Keys
  - Creating Policy Elements
  - Creating Policies
  - LDT Use Cases
  - Creating GuardPoints
- API Response Codes
- How to Configure the External CA for CTE
- How to Change Local CA or External CA for CTE
Data Discovery and Classification (DDC)
- DDC overview
- Concepts
  - User groups
  - Locations
  - Information types
  - Classification profiles
  - Scans
  - Reports
  - Agents
  - Similarity search
- Discovering sensitive information
  - Local storage
  - Big data
    - Hadoop
    - Teradata
  - Network storage
    - NFS Share
    - SMB/CIFS Share
  - Server
    - Exchange Server
    - Sharepoint Server
  - Clouds
    - AWS S3
    - Azure Blobs
    - Azure Table
    - Google Workspace: GDrive
    - Google Workspace: Gmail
    - Office 365: Exchange Online
    - Office 365: OneDrive for Business
    - Office 365: SharePoint Online
    - Salesforce
  - Databases
    - IBM Db2
    - MongoDB
    - Microsoft SQL
    - MySQL
    - Oracle
    - PostgreSQL
    - SAP HANA
- Logging
- Operations
- Troubleshooting
- Appendix
- Deployment Security
Secrets Management
- Configure Secrets Management
- Create and Protect Akeyless Secrets
- Configuring Hashicorp Vault Proxy with CSM
- Integrating External Secrets Operator (ESO) K8s plugin with CipherTrust Secrets Manager (Akeyless)
- CSM Integration with Luna Network HSM
- CSM Akeyless Gateway Version Files for CipherTrust Manager
- Managing Akeyless Gateway Versions for CSM
- Troubleshooting

Managing Protection Policy

Protection policy defines a set of rules that govern the cryptographic operations to be performed in the application data protection. A protection policy includes entities such as algorithm, key, character set, access policy and so on.

Protection policy specifications

Supported key types

Symmetric AES keys are supported.

The keys must be marked exportable on CipherTrust Manager. The key to be used in the protection policy must be added to a group with Read, Encrypt, Decrypt, and Export permissions. One such example of group is Application Data Protection Clients.

Note

While adding an application on CipherTrust Manager, in the Client Groups field, select the group with which the key to be used in the protection policy was associated (for example, Application Data Protection Clients).

Supported algorithms and their specifications

Important Notes

It is recommended to use FPE/FF1v2 over other FPE algorithms.
AES-GCM, being more secure, is recommended over AES-CBC and AES-ECB.
It is recommended to use random nonce wherever applicable.
Random2 has a known limitation–small variations in the input plaintext produce only small variations in the output ciphertext.

FPE/AES


IV	The IV length is dependent on the cardinality of the character set. To know the required IV length, click here.
Random Nonce	Supported types are internal, external, and disabled. For more details, click here. It is recommended to use random nonce for higher security.
Cardinality	Unicode.
Key Size	128, 192, and 256.
Tweak Algorithm	Hashing algorithm to be applied to the specified tweak data beforehand. Possible options are: — SHA1 — SHA256 — NONE — NULL Tweak algorithms and tweak data are only applicable when random nonce is disabled.
Tweak	It uses the tweakable cipher concept to protect against statistical attacks due to potentially small input/output space. To know the required size of tweak data for FPE and tweak algorithms, click here.
Minimum supported input value	2 characters.

FPE/FF1v2


Random Nonce	Supported types are internal, external, and disabled. For more details, click here. It is recommended to use random nonce for higher security.
Cardinality	Unicode.
Key Size	128, 192, and 256.
Tweak Algorithm	Hashing algorithm to be applied to specified tweak data beforehand. Possible options are: — SHA1 — SHA256 — NONE — NULL Tweak algorithms and tweak data are only applicable when random nonce is disabled.
Tweak	It uses the tweakable cipher concept to protect against statistical attacks due to potentially small input/output space. To know the required size of tweak data for FPE and tweak algorithms, click here.
Minimum supported input value	2 characters.

FPE/FF3


Random Nonce	Supported types are internal, external, and disabled. For more details, click here. It is recommended to use random nonce for higher security.
Cardinality	Unicode.
Key Size	128, 192, and 256.
Tweak Algorithm	Hashing algorithm to be applied to specified tweak data beforehand. Possible options are: — SHA1 — SHA256 — NONE Tweak algorithms and tweak data are only applicable when random nonce is disabled.
Tweak	It uses the tweakable cipher concept to protect against statistical attacks due to potentially small input/output space. To know the required size of tweak data for FPE and tweak algorithms, click here.
Minimum supported input value	2 characters.

FPE/FF3-1

Note

For FF3-1, the maximum supported data length to be protected is dependent on the cardinality of the character set. The input data length must be <= the block-size.


Random Nonce	Supported types are internal, external, and disabled. For more details, click here. It is recommended to use random nonce for higher security.
Cardinality	Unicode.
Key Size	128, 192, and 256.
Tweak Algorithm	Hashing algorithm to be applied on specified tweak data beforehand. Possible options are: — SHA1 — SHA256 — NONE Tweak algorithms and tweak data are only applicable when random nonce is disabled.
Tweak	It uses the tweakable cipher concept to protect against statistical attacks due to potentially small input/output space. To know the required size of tweak data for FPE and tweak algorithms, click here.
Minimum supported input value	2 characters.

AES


Random Nonce	Supported types are internal, external, and disabled. For more details, click here. It is recommended to use random nonce for higher security.
Modes	Supported modes are: — CBC — ECB
Padding Schemes	— PKCS5Padding — NoPadding When using AES with NoPadding in CBC or ECB mode, then you must supply the input in multiples of 16 bytes (any UTF-8 input character).
IV	CBC mode accepts a 16-byte IV (can be any UTF-8 character input). For ECB mode, IV is not supported. It is mandatory to specify IV when random nonce is disabled.
Key Size	128, 192, and 256.
Identifier Strings	— AES/CBC/NoPadding — AES/CBC/PKCS5Padding — AES/ECB/NoPadding — AES/ECB/PKCS5Padding

AES/GCM


Random Nonce	Supported types are internal, external, and disabled. For more details, click here. It is recommended to use random nonce for higher security.
Modes	GCM
Padding Schemes	NoPadding
IV	1 to 16 byte (any UTF-8 input character) It is mandatory to specify IV when random nonce is disabled.
Key Size	128, 192, and 256
Identifier Strings	AES/GCM
Additional Authenticated Data (AAD)	(Optional.) AAD is additional data that is authenticated but not encrypted during the AES-GCM operation. It ensures the integrity of the data and data tampering with AAD can be detected.
Tag Length(TagLen)	(Optional.) The TagLength refers to the size of the authentication tag, also known as Message Authentication Code (MAC), generated by AES-GCM. It can be in the range of 32-128 (should be multiple of 8). For example, `32,40,48 ... 120,128`

AES/CTR


Random Nonce	Supported types are internal, external, and disabled. For more details, click here. It is recommended to use random nonce for higher security.
Modes	CTR
IV	AES/CTR accepts 16 byte (any UTF-8 input character) IV. It is mandatory to specify IV when random nonce is disabled.
Key Size	128, 192, and 256
Identifier Strings	AES/CTR

Random2


Nonce	Required to increase the randomness in data protection. Click here for details.
Key Size	128, 192, and 256
Identifier Strings	Random2
Cardinality	Unicode
Minimum supported input value	1 character

Supported character set

For format preserving algorithms (FPE and Random2), the Application Data Protection supports configurable character sets.

Note

FPE requires minimum two characters from the character set to perform crypto operations.
Random2 requires minimum one character from the character set to perform crypto operations.

Protection policy versioning

Application protection policies are versioned. Whenever a protection policy is modified, the version increases by one. The versioning helps track changes and updates made to a protection policy.

Refer to Protection Policy Versioning Details for more information on protection policy versioning.

What's Next

In this article you will learn how to:

Suggest A Change

Managing Protection Policy

Protection policy specifications

Supported key types

Supported algorithms and their specifications

Important Notes

FPE/AES

FPE/FF1v2

FPE/FF3

FPE/FF3-1

AES

AES/GCM

AES/CTR

Random2

Supported character set

Protection policy versioning

What's Next

References

On this page