Page Comparison

Image Added Cipher Mode

Cipher Mode to use.

The two modes CTR and GCM are non-deterministic in the sense that they will give different outputs for the same input. This means that it will not be possible to correlate data from separate UDRs, but if this is not a requirement then it gives a more complete anonymization.

The CBC mode is deterministic and can be used when correlation must be possible on pseudonymized data. It includes a transposition scrambling to protect against prefix matching.

The ECB mode is not recommended since it allows for prefix and suffix matching and thus gives weaker security than the CBC mode. It is only included for backwards compatibility.

Derive Key from Passphrase

Select this option for the cryptographic engine to use a key from the passphrase. The Passphrase and Algorithm fields will be enabled.

Passphrase

Enter a passphrase manually or click the Random button to generate a random key. The passphrase is then hashed and it is use as the key.

If you use a random passphrase and it has been changed, you will not be able to unmask any masked data prior to the change.

Algorithm

Select the algorithm to be used, either the AES-128 or AES-256.

This can only be used for fields of string and bytearray types.

Read Key from Keystore

Select this option to use a key from a designated keystore. The keystore must be a JCEKS. The Keystore Path, Keystore Password, Key Name and Key Password fields will be enabled.

Example - Creating a symmetric crypto key

$ keytool -keystore test.ks -storepass password -storetype jceks -genseckey -keysize 128 -alias testkey -keyalg AES

Keystore Path

Enter the path to the keystore file.

Keystore Password

Enter the associated password.

Key Name

This field is optional. Enter the associated key name.

Key Password

This field is optional. Enter the associated key password if required, otherwise the Keystore Password is used as the default password.