Encryption patterns You can specify string patterns to be replaced by tokens before being sent to and stored in the instance. You can pick patterns provided out of the box, or create your own patterns. You can create a basic pattern by specifying a sequence of characters. You create an advanced pattern by specifying a Java RegEx expression. The out of the box patterns are advanced patterns. Encryption pattern limitations. A pattern of all alpha characters is not allowed. The minimum pattern size is 5 characters. This can be changed using a system property. The asterisk (*) and plus (+) characters are not allowed in patterns. When the proxy matches a pattern in a request going to the instance, the proxy replaces the string with a token the same size as the string being replaced, and sends the token to the instance. The string matching the pattern is not sent to the instance. When the response is sent from the instance to the browser of HTTP client, the proxy replaces the token with the string so you see the clear text. Encryption patterns match complete words, not parts of strings embedded in a larger string. Words are defined by spaces and characters not available for inclusion in a pattern. The string matching the pattern is not encrypted, it is replaced with a token. The clear text never leaves your network. If the same string is sent to the instance multiple times, it is replaced with the same token. This means that you can perform text searches for strings that have been replaced with a token. While the search happens on the instance with tokens, the query string is changed to a token when the query is sent to the instance, the search is performed on tokens, and when the search results are sent back to you, the tokens are replaced with the clear text. Searches are done on exact matches; features such as stemming do not work. The encryption pattern feature uses the same MySQL database used for order-preserving encryption. Note: Encrypted fields are not checked for encryption patterns.