Default Data Protection Policies

Baffle Advanced Data Protection provides the following default Data Protection Policies that you can apply in their original form or customize for an application.

  • Default Encryption (CTR) Policy
  • Default Format Preserving Encryption (FPE) Policy
  • Default Masking Policy

This document explains each of the default Data Protection Policies. For information on the differences between FPE and data masking, see Format Preserving Encryption vs Data Masking.

About Data Protection Policies

A Data Protection Policy consists of a combination of rules, which in turn consist of conditions and modes as illustrated in the following diagram.

A Mode specifies the type of encryption or masking format applied to selected columns, and can be applied to a column individually, as well as included in a policy Rule. A policy is applied to the columns of a data store associated with an enrolled application. A policy specifies the mode, conditions for given columns, and the keys that are used. For information on how to add a policy to an application, see Create a Data Protection Policy.


NOTE: The data type of a column can affect the encryption or masking format used in a Data Protection Policy. For more information, see FPE Reference, Baffle Shield Supported Data Masking Formats and Patterns, and  Data Masking Reference.

Default Encryption (CTR) Policy

The Default CTR Policy utilizes counter mode encryption (CTR) combined with Advanced Encryption Standard (AES) and Deterministic (DET) encryption. The Default CTR Policy applies to all data types. 

  • AES (advanced encryption standard) is included in the ISO/IEC 18033-3 standard and defined in FIPS PUB 197. AES became a U.S. federal government standard in 2002. AES is available in many different encryption packages and is the only publicly accessible cipher approved by the U.S. National Security Agency (NSA).
  • CTR (counter mode) is an algorithm that uses a block cipher. CTR turns a block cipher into a stream cipher, generating the next keystream block by encrypting successive values of a "counter". The counter can be any function that produces a sequence guaranteed not to repeat for a significant amount of time.  
  • DET (deterministic encryption) always produces the same ciphertext for a given plaintext string and key, even over separate executions of the encryption algorithm.

NOTE: You are not allowed to edit the Default CTR Policy. However, you can create custom encryption modes that you can save to a library and apply as needed. For information on other Baffle Advanced Data Protection encryption types, see Encryption Mode Types.

Default Format Preserving Encryption (FPE) Policy

Format Preserving Encryption (FPE) is a 1-to-1 mapping of sensitive to non-sensitive data. The mapping format depends on the data type to which it is applied, and supported data types vary according to the database. 

Default FPE formats

Encryption: Enabled

Masking: Disabled

NOTE: The database used and the data type of a column can affect the encryption format used in a Data Protection Policy. The data types for MySQL, SQL Server, and Postgres databases differ. For details on supported FPE data types and formats for different databases, as well as FPE transformations, see the FPE Reference.

Data Type

Default FPE Format

tinyInt, smallInInt, integer, bigInt, float


date, time, datetime, datetime2, datetimeoffset




char, nchar, varchar, nvarchar



FPE data format transformations

For a list of supported FPE data formats and the FPE transformations for each, see the FPE Reference.

Default Masking Policy

Baffle Advanced Data Protection masks encrypted data so that any data returned to the user without decryption is presented in a friendly format. This supports applications that require data in a specific format but do not require realistic behavior of the data. 

The default Masking Policy is applied to all data types. NOTE: The data type of a column can affect the masking format used in a Data Protection Policy. For more information, see Baffle Shield Supported Data Masking Formats and Patterns and Data Masking Reference.

Default data masking formats

Encryption: Disabled

Masking: Enabled

Data Type

Default Mask Format

bit, tinyint, smallint, int/integer, bigint


char, nchar, varchar, nvarchar, text, ntext

FIXED “***”

image, binary, varbinary

FIXED “***”


FIXED “1999-12-31”


FIXED “1999-12-31 00:00:00”


FIXED “1999-12-31 00:00:00 +00:00”


FIXED “00:00:00”

decimal, money, numeric, float, real



Data masking transformations

Baffle Advanced Data Protection utilizes the following data masking transformations:

  • Masking on client queries – masks literal values for masked columns.
  • Masking on result sets – masks data values in the result set corresponding to masked columns.

Masking is applied as follows:

  • Type-specific and column-specific default masking is performed on both client queries and result set data. 
  • Column-specific selective masking is performed both on client queries and result set data. This ensures data privacy for the masked fields. 
  • Result set limit masking is applied only to result set data. Literal values for columns for which selective masking has not been specified is not masked.

NOTE: Result set limit masking is applied globally. However, result set limit masking and column-specific selective masking can be combined such that client queries are masked for those columns in which selective masking is applied.

For more information

See the following topics for more on Baffle Advanced Data Protection data formats, encryption, and data masking:







Was this article helpful?
0 out of 0 found this helpful



Please sign in to leave a comment.