Tokenize strings using encryption patterns

You can specify string patterns to be replaced by tokens before being sent to and stored in the instance.

You can pick patterns provided out of the box, or create your own patterns. You can create a basic pattern by specifying a sequence of characters. You create an advanced pattern by specifying a Java RegEx expression. The out of the box patterns are advanced patterns.

Encryption pattern limitations.
  • A pattern of all alpha characters is not allowed.
  • The minimum pattern size is 5 characters. This can be changed using a system property.
  • The asterisk (*) and plus (+) characters are not allowed in patterns.

When the proxy matches a pattern in a request going to the instance, the proxy replaces the string with a token the same size as the string being replaced, and sends the token to the instance. The string matching the pattern is not sent to the instance. When the response is sent from the instance to the browser of HTTP client, the proxy replaces the token with the string so you see the clear text.

Encryption patterns match complete words, not parts of strings embedded in a larger string. Words are defined by spaces and characters not available for inclusion in a pattern.

The string matching the pattern is not encrypted, it is replaced with a token. The clear text never leaves your network. If the same string is sent to the instance multiple times, it is replaced with the same token. This means that you can perform text searches for strings that have been replaced with a token. While the search happens on the instance with tokens, the query string is changed to a token when the query is sent to the instance, the search is performed on tokens, and when the search results are sent back to you, the tokens are replaced with the clear text. Searches are done on exact matches; features such as stemming do not work.

The encryption pattern feature uses the same MySQL database used for order-preserving encryption.

Note: Encrypted fields are not checked for encryption patterns.

Configure basic encryption patterns

You can build a pattern character by character.

Before you begin

In order to use encryption patterns, you must install and set up a proxy database in your network. This is the same database used for order-preserving encryption. In order to create or edit encryption patterns, you must be connected to the instance through the proxy.

Role required: security-admin

About this task

The input type defines how you are going to enter the pattern. It does not impact how the pattern is used. To enter a series of character types use the basic input type. To enter a Java RegEx expression use the advanced input type. To use one of the preconfigured patterns, edit one of the patterns on the Advanced Patterns list.

Procedure

  1. Navigate to Edge Encryption Configuration > Encryption Patterns > Create New.
  2. Enter the pattern name.
  3. Create a pattern by clicking the Add button, and then selecting a character type.

    The Sample pattern shows what your pattern looks like as you add characters and specify the character type.

    You can use the New Block button to move the next character to the next line. This allows you to group characters in a long pattern.

    Click the X button to delete the last character in the pattern.

  4. Click Submit.

Configure advanced encryption patterns

You can build a pattern using a Java RegEx expression.

Before you begin

In order to use encryption patterns, you must install and set up a proxy database in your network. This is the same database used for order-preserving encryption. In order to create or edit encryption patterns, you must be connected to the instance through the proxy.

Role required: security-admin

About this task

The input type defines how you are going to enter the pattern. It does not impact how the pattern is used. To enter a series of character types use the basic input type. To enter a Java RegEx expression use the advanced input type. To use one of the preconfigured patterns, edit one of the patterns on the Advanced Patterns list.

Procedure

  1. Navigate to Edge Encryption Configuration > Encryption Patterns > Create New.
  2. Enter the pattern name.
  3. In the Edge pattern input type list, select Advanced.
  4. When the Convert basic pattern to advanced dialog is shown, click OK.
  5. In the Sample match edit box, enter a sample pattern.
    Use this sample pattern to test the RegEx expression you enter. You cannot save the pattern until the pattern matches the sample.
  6. In the Pattern edit box, enter a Java RegEx expression.
  7. Click the Validate button to verify that the expression matches the sample pattern.
  8. Click Submit.

Configure predefined encryption patterns

Edge Encryption ships with a set of predefined encryption patterns. You can activate these patterns instead of creating your own patterns.

Before you begin

In order to use encryption patterns, you must install and set up a proxy database in your network. This is the same database used for order-preserving encryption. In order to create or edit encryption patterns, you must be connected to the instance through the proxy.

Role required: security-admin

About this task

The input type defines how you are going to enter the pattern. It does not impact how the pattern is used. To enter a series of character types use the basic input type. To enter a Java RegEx expression use the advanced input type. To use one of the preconfigured patterns, edit one of the patterns on the Advanced Patterns list.

Procedure

  1. Navigate to Edge Encryption Configuration > Encryption Patterns > Advanced Patterns.
  2. Click on the pattern you want to use.
    You can change the pattern to match your specific requirements.
    The Encryption Pattern form is shown.
  3. Click Active, and then click Update.
    The Encryption Patterns list is shown.