After defining a data protection policy, where you selected the database, table, columns and specified the encryption mode, you can:
- encrypt columns or fields containing sensitive data before the data is sent to the database, and
- decrypt encrypted data from the database before the application receives the data.
Successfully Define a Data Protection Policy.
Step 1: Encrypt Data on a Database
There are three states you can choose from to implement your policy:
Save – used when a policy needs additional verification before implementing.
Deploy – used when defining a policy for a data store that may be cloned from an environment that did not go through Baffle migration and data type conversion.
Deploy Policy and Migrate Data – used when a user wants to define a policy for a data store to protect columns, and migrate the existing data in the data store.
In the following procedure, we will choose to deploy and migrate the data, so you can then view the encrypted data on your database.
To encrypt data on a database, do the following:
- Under Migration Plan on the Confirmation page for the application policy, click Deploy Policy and Migrate Data. This saves and deploys the data protection policy you previously defined and migrates the existing data in the selected columns.
- Select Clean Temp Tables to delete the temporary tables used to carry out encryption.
- (Optional) You can select which Shield should be used specifically for data migration, select it from the Migration Shield dropdown menu. For more information, see Create and Select Shields for Migration from Baffle Manager.
- Click SAVE to execute the policy. The Applications list should indicate the data migration is in progress.
Tip: If the migration does not initiate, you may need to configure your database user privileges.
- You can log in to your database with your database client and view the encrypted data.
Step 2: Decrypt Previously Encrypted Data
This step walks you through the process of decrypting data you previously encrypted on a database. NOTE: Only the columns that you have previously encrypted will be available to decrypt.
To decrypt data on a database, do the following:
- On the Application page of Baffle Manager, select the application with the data you want to decrypt.
- In the panel on the right, select Decrypt from the drop-down menu.
- In the Tree Menu, select the database and table with the data to be decrypted.
- In the Schema Builder window, select the encrypted columns to be decrypted.
- Click Next to perform the decryption.
- You can log in to your database with your database client and view the newly decrypted data.
Perform the following administration tasks as needed: