Modify and Deploy the Baffle Privacy Schema

The BafflePrivacySchema (BPS) establishes a protection policy for an application, indicating the columns or fields that must be encrypted, as well as specifying the data encryption keys to be used. The BPS file is usually generated by Baffle Manager to ensure the format and values are correct. It also ensures that Baffle Shield presents the correct data type and column properties back to the application layer.

NOTE: Masking patterns specified in double-quotes can also be specified in single-quotes in the BafflePrivacySchema.

You can directly edit the BPS file with the Baffle Manager Configuration Editor to modify the columns and fields specified for encryption.  For detailed information on the parameters for the BaffleCommonConfig file, see the Baffle Common Config File Parameters Reference.

IMPORTANT: Modifying the BPS file with the Configuration Editor is an advanced procedure that requires an understanding of the correct BPS structure and syntax. It is highly recommended that you use the Schema Selector if possible.

The following procedure demonstrates how to modify the BPS using the Baffle Manager (BM) Configuration Editor.

To modify the BPS file, do the following:

  1. Log in to Baffle Manager, click the Application icon in the left menu bar, then select the application for the BPS file that’s to be modified.


    A dialog with application details appears on the right.

  2. Select the Gear icon in the upper right corner of the dialog and select Edit Configuration from the drop-down menu.


    The Configuration Editor page appears.

  3. Select the Baffle Privacy Schema option on the left. The Baffle Privacy schema file appears on the right.

  4. Select a column in the schema file and make the necessary modifications, or add a new column. Use the following syntax:

    <database>.<table>.<column> <encryption_method> <datatype> <encryption_mode> <deterministic_random> [MGR_ENC | MGR_CLEAR]

    IMPORTANT NOTE! You must add the MGR_ENC (for encryption) or MGR_CLEAR (for decryption) to each new or modified column, for the data to encrypt and decrypt respectively. If you add or modify a column without adding these flags, the columns will not migrate, even when Deploy and Migrate is selected.

    Encryption example: test1.superstore.salesid 2 varbinary(136) M_CTR ENC_DET MGR_ENC
    Decryption example: test1.superstore.salesid 2 varbinary(136) M_CTR ENC_DET MGR_CLEAR


    • test1.superstore.salesid is the column to be encrypted

    • 2 signifies that this column is using record level multi-key encryption

    • varbinary(136) specifies the original datatype of the field

    • M_CTR indicates to use AES CTR mode for encryption

    • ENC_DET sets a deterministic encryption mode 

    • MGR_ENC required for added or modified columns for the column to encrypt

    • MGR_CLEAR required for added or modified columns for the column to decrypt

    • Select Migrate and Deploy to save your policy, deploy it, and migrate existing selected tables and columns through your Baffle Shield for encryption. Optionally, you can select:

      • Save to save the policy changes without deployment, or

      • Deploy the policy changes without encryption.

  5. Click Close Window to return to the Application page.

Was this article helpful?
0 out of 0 found this helpful



Please sign in to leave a comment.