Encrypt Your Table

Looking for examples to get started with encryption? Let's go!

Steps to create a new encrypted table

​ To configure tables for encryption, users must take the following steps: ​

  1. Create new table(s) via DDL (either through the Core API DDL endpoint) and generate biscuits enabling DDL commands.
  2. For each table that you wish to enable encryption for, the Data Security module ensures the current user is authorized to execute table DDL statements (i.e., via a provided biscuit) and verifies that no table already has encryption enabled, failing otherwise.
  3. If a table already has data prior to having encryption enabled, the existing data will not automatically be encrypted. It is the user's responsibility to enable encryption prior to inserting any data in the table.
  4. If multiple tables are present, users can configure which tables have columns with shared data, enabling encryption using the same key.
  5. For each selected column, users may configure what type of encryption and option they desire. Details on encryption types and options are discussed in the next section.
  6. Finally, users save their configuration and provide it to the Data Security API.


Here's an example of a POST request to configure multiple tables for encryption in a dataset:

    "tables": [
        {
            "resourceId": "PUBLIC.TEST_TABLE,
            "columns": [
                {
                    "name": "IDENTITY",
                    "encType": "DET",
                    "encOption": "NONE"
                },
                {
                    "name": "USER_IDENTIFIER",
                    "encType": "DET",
                    "encOption": "LIKE"
                },
                {
                    "name": "TRANSACT",
                    "encType": "FPE",
                    "encOption": "ASCII"
                },
                {
                    "name": "ORDER_DET",
                    "encType": "FPE",
                    "encOption": "NUMERIC"
                },
                {
                    "name": "PHONE_NUM",
                    "encType": "FPE",
                    "encOption": "NUMERIC_NONSTRICT"
                },
                {
                    "name": "DATE_OF_BIRTH",
                    "encType": "FPE_DAY",
                    "encOption": "NONE"
                },
                {
                    "name": "TOKEN",
                    "encType": "FPE_TOKEN",
                    "encOption": "EBCDIC"
                },
                {
                    "name": "SECRET",
                    "encType": "MASK",
                    "encOption": "MASK_FULL_DATE"
                },
                {
                    "name": "SALARY",
                    "encType": "OPE",
                    "encOption": "NONE"
                }
            ]
        },
        {
            "resourceId": "PUBLIC.TEST_TABLE_2",
            "columns": [
                {
                    "name": "ID",
                    "encType": "DET",
                    "encOption": "NONE"
                },
                {
                    "name": "USER_ID",
                    "encType": "DET",
                    "encOption": "LIKE"
                },
                {
                    "name": "TRANSACTION",
                    "encType": "FPE",
                    "encOption": "EASCII"
                },
                {
                    "name": "ORDER_DETAILS",
                    "encType": "FPE",
                    "encOption": "UNICODE"
                },
                {
                    "name": "PHONE",
                    "encType": "FPE",
                    "encOption": "NUMERICLP"
                },
                {
                    "name": "BIRTH_DATE",
                    "encType": "FPE_DAY",
                    "encOption": "NONE"
                },
                {
                    "name": "TOKEN_ID",
                    "encType": "FPE_TOKEN",
                    "encOption": "NUMERIC"
                },
                {
                    "name": "SECRET_DATE",
                    "encType": "MASK",
                    "encOption": "MASK_YEAR"
                },
                {
                    "name": "RANK",
                    "encType": "OPE",
                    "encOption": "NONE"
                }
            ]
        }
    ],
    "biscuits": ["EvgHCo0HCg5zeHQ6Y2FwYWJpbGl0eQoKZG....."]
    }

Authorization

To perform encryption and decryption actions on a table, you must include the API token (known as a "biscuit") for the corresponding table in the request header. This is an essential step to ensure secure access to your data. When making the request, include the biscuit in the header that is associated with your table.

This should be included in every encryption/decryption API request you make. Failing to include the biscuit, or including an incorrect or expired biscuit, will result in an error and the request will not be processed.

Here’s an example of a POST request that will encrypt values inserted into an table:

{
	"resourceId": "PUBLIC.TEST_TABLE",
	"sqlText":  "INSERT INTO PUBLIC.TEST_TABLE (ID, USER_ID, TRANSACTION, ORDER_DETAILS) values ('1', 'ABC321', 'config656', '123823')"
}

Here’s an example of a POST request that will select all columns from a specific table and decrypt them, given they are encrypted:

{
	"resourceId": "PUBLIC.TEST_TABLE_DQL",
	"sqlText": "SELECT * FROM TEST_TABLE_DQL"
}