Encrypt and Decrypt Data

After defining a data protection policy, where you selected the database, table, columns and specified the encryption mode, you can:

  • encrypt columns or fields containing sensitive data before the data is sent to the database, and
  • decrypt encrypted data from the database before the application receives the data.


Successfully Create a Data Protection Policy.

Step 1: Encrypt Data on a Database

There are three states you can choose from to implement your policy:

  • Save – used when a policy needs additional verification before implementing.

  • Deploy – used when defining a policy for a data store that may be cloned from an environment that did not go through Baffle migration and data type conversion.

  • Deploy Policy & Migrate Data – used when a user wants to define a policy for a data store to protect columns, and migrate the existing data in the data store.

    • Note: Baffle Migration is not supported for policies that define objects that have not yet been created on the database, or for policies that use AWS Redshift.

For more information on these options, see Saving, Deploying, or Deploying and Migrating your Data in Baffle Manager. In the following procedure, you choose to deploy and migrate the data and then view the encrypted data on your database.

To encrypt data on a database, do the following:

  1. In the Deployment Plan for policy, click Deploy Policy and Migrate Data. This saves and deploys the data protection policy you previously defined and migrates the existing data in the selected columns.
    1. Note: Baffle Migration is not supported for policies that define objects that have not yet been created on the database, or for policies that use AWS Redshift.
  2. Select Clean Temp Tables to delete the temporary tables used to carry out encryption. 
  3. (Optional) Select a Baffle Shield to use for data migration from the Migration Shield dropdown menu. For more information, see Create and Select Shields for Migration from Baffle Manager.

  4. Click SAVE to execute the policy. The Applications list should  indicate the data migration is in progress.


    Tip: If the migration does not initiate, you may need to configure your database user privileges.
  5. Log in to your database from your database client and view the encrypted data.

Step 2: Decrypt Previously Encrypted Data

This section explains the decryption process and walks you through the task of decrypting data that was previously encrypted. Only the columns that were previously encrypted are available for decryption.

Decryption options

Selecting a decryption option effectively changes the data protection policy for the application. Some options perform a slightly different function for decryption than for encryption: 

  • Save – Saves the new data protection policy as a draft without any changes to the data. This option can be used to hone the policy over multiple iterations before deploying or migrating during a downtime window.
  • Deploy – Removes the columns specified for decryption from the data protection policy without decrypting the data. WARNING! Baffle Manager does not validate whether the removed columns are actually decrypted. Once the columns are removed from the data protection policy, they are available for encryption through Baffle Manager. If the referenced data was not decrypted through other means, existing encrypted data may be doubly encrypted leading to data loss.
  • Deploy & Migrate – Clears the selected columns from the BafflePrivacySchema and the data is decrypted. 
    • Note: Baffle Migration is not supported for policies that define objects that have not yet been created on the database, or for policies that use AWS Redshift.

Best practice guidelines

  • IMPORTANT! If you select Deploy & Migrate to encrypt columns, select Deploy & Migrate to decrypt the same columns. This prevents a state where it would be possible to double encrypt the data.
  • The Deploy option is rarely used, and typically only applies to cases where your data does not need to be transformed (e.g. syncing Baffle Manager’s data protection policy with the data encryption state after restoring an old data set).
  • Choose Save to specify policy changes for decryption, and then return to Deploy, or Deploy & Migrate the policy at a later time.

To decrypt data on a database, do the following:

  1. Click the Application icon in the left navigation bar, then select the application name from the list.
  2. In the panel on the right, select Decrypt from the Migration Details menu.

  3. In the Tree Menu, select the database and table with the data to be decrypted.

  4. In the Schema Builder window, select the encrypted columns to be decrypted and click Save

  5. In the left panel, select the appropriate Deployment Plan option and specify any necessary related fields. In our example, we chose Deploy Policy & Migrate Data. For more information on Deployment Plan options, see Saving, Deploying, Deploying & Migrating your Data in Baffle Manager.


  6. Click Save.
  7. Optional: Log in to the database with a database client and view the newly decrypted data.

Next Steps:

Perform the following administration tasks as needed:

Was this article helpful?
0 out of 0 found this helpful



Please sign in to leave a comment.