Data Encryption using IBM Cloud Databases for PostgreSQL
Overview
Data Security Broker functions as an application-level encryption (ALE) equivalent in this mode encrypting data on a field-level basis. This is performed using Data Security Broker Manager to enumerate the data schema and enable an encryption key mapping.
Procedure
Complete the following steps to encrypt the data with Data Security Broker Manager on an IBM Cloud PostgreSQL Database:
-
Login to Data Security Broker Manager.
-
Click on an application and select the drop down which is present in the Migration Details field in the right side and click Encrypt.
-
Select the Database and the table where you have the data created and select the Column which needs to be encrypted. Choose the Data Protection policy, Encryption mode, and masking mode for the encryption process and click Review.
Data Encryption 
-
Choose Deploy Policy & Migrate Data under the Deployment Plan option. There are three options that you can choose to implement your data encryption policy. For more information on Deployment plans, see Deployment Plans in Data Security Broker Manager. Select the Security Broker Shield service IP address in the Migration Shield field and click Save to start the encryption process.
-
The status of the application shows Migrating when the encryption process starts.
-
Once the encryption is complete, the status is changed to Protected. You can view more information by clicking Migration Details in the Applications sidebar.
If there is new data which gets inserted in the database, by default, the data is encrypted by using the default data encryption policy that is being selected by the user.
Reference
Format Preserving Encryption (FPE) Supported Data Types
The following tables lists the FPE supported data types for the data encryption in Data Security Broker Manager:
PostgreSQL
| Original Data Type | FPE Data Type |
|---|---|
| smallint | fpe-int |
| int | fpe-int |
| integer | fpe-int |
| bigint | fpe-int |
| bytea | fpe-int |
| numeric | fpe-decimal |
| decimal | fpe-decimal |
| numeric (s,p) | fpe-decimal |
| decimal (s,p) | fpe-decimal |
| money | fpe-decimal |
| var |
|
| char |
|
| text |
|
| date | fpe-datetime |
| time | fpe-datetime |
| timestamp | fpe-datetime |
| uuid | fpe-hexadecimal |
Counter-Mode (CTR) Supported Data Types
Data Security Broker Shield only supports one word for a data type name. BYTEA is a PostgreSQL data type that has the capability to store hexadecimal data which is used to store encrypted data. BYTEA is an equivalent of VARBINARY in MySQL or RAW datatype in Oracle database.
PostgreSQL The following table lists PostgreSQL supported data types for M_CTR mode in Data Security Broker Manager.
| Original Data Type | Encrypted Data Type | |
|---|---|---|
| SMALLINT | BYTEA | |
| INT, INTEGER | BYTEA | |
| BIGINT | BYTEA | |
| REAL, FLOAT4 | BYTEA | |
| FLOAT8 - Used in Data Security Broker Shield for "double precision" | BYTEA | |
| DECIMAL, NUMERIC | BYTEA | |
| VARCHAR - Used in Data Security Broker Shield for "character verification" | BYTEA | |
| CHAR, CHARACTER, BPCHAR | BYTEA | |
| TEXT | BYTEA | |
| JSON, JSONB | BYTEA | |
| BYTEA | BYTEA | |
| MONEY | BYTEA | |
| DATE | BYTEA | |
| TIMESTAMP - Used in Data Security Broker Shield for "timestamp without time zone" | BYTEA | |
| TIMESTAMPZ - Used in Data Security Broker Shield for "timestamp with time zone" | BYTEA | |
| UUID | BYTEA | |
| BIT | BYTEA | |
| VARBIT - Used in Data Security Broker Shield for "bit verification" | BYTEA |