Configure the encryption transform component

Procedure

1. On the top menu bar of the Dataphin home page, select Develop > Data Integration.

2. On the top menu bar of the integration page, select a Project. If you are in Dev-Prod mode, you must also select an environment.

3. In the left navigation pane, click Offline Integration. On the Offline Integration page, click the offline pipeline that you want to develop to open its configuration page.

4. In the upper-right corner of the page, click Component Library to open the Component Library panel.

5. In the navigation pane on the left of the Component Library panel, select Transform. Find the Encryption component in the list on the right and drag it to the canvas.

6. Click and drag the icon of the target input component to connect it to the encryption component.

7. Click the icon on the encryption component to open the Field Encryption Configuration dialog box.

8. In the Select Fields step of the Field Encryption Configuration dialog box, select the fields from the upstream component. If a field name includes a table name, the table name is also displayed.

9. Click Next.

   Important

   • The selected fields are encrypted and passed to the downstream component. All other fields are passed through with their original values.

   • Because encryption consumes extra resources, encrypt only sensitive data.

   • After a field is encrypted, its data type is converted to String. When you use a decryption component, you must specify the Output Field Type.

10. In the Encryption Configuration step, configure the encryption parameters.

    Different encryption algorithms require different configurations. Select an encryption algorithm and configure its parameters as needed. For more information about encryption algorithms, see Security algorithm examples.

    • AES, DES, 3DES, SM4, SM2, and RSA encryption algorithms.

      Parameter	Description
      Key	The key used for encryption. You can select any key that has been created for the selected encryption algorithm. For more information, see Register and manage keys. You can use keys for which you have permissions. If you do not have permissions, you must request them. For more information, see Request, renew, and return key permissions.
      Advanced Configuration	Advanced configurations are supported for the AES, DES, 3DES, SM4, and RSA encryption algorithms. You can configure parameters such as the output encoding. In most cases, the default configurations are sufficient. The following figure shows the default configuration items: To exchange Dataphin data with external data, ensure that the advanced configurations are consistent. Different encryption algorithms support different advanced configuration items. The details are as follows: Encryption Mode: Select a mode based on your business scenario. Different algorithms support different encryption modes. You can choose from ECB, CBC, CFB, CTR, and OFB. ECB does not have an initialization vector (IV) configuration. The encryption and decryption configurations must be the same. Padding: You can select NoPadding, PKCS5Padding, or PKCS7Padding. The encryption and decryption configurations must be the same. Different encryption algorithms support different padding modes. The actual options on the page prevail. Offset: The IV is called an offset. Different IVs produce different encrypted strings. The IV must be a 16-digit number. The same IV must be used for encryption and decryption. Encoding Format: Base64 and Hex are supported for output. For more information about the scope of advanced settings for encryption algorithms, see Masking security algorithm example. Note: If you select SM4 as the encryption algorithm and the output destination is AnalyticDB PostgreSQL, select the Output destination is AnalyticDB PostgreSQL option. Otherwise, the encrypted data cannot be directly decrypted in AnalyticDB for PostgreSQL.

    • Format-Preserving Encryption (FPE) (FF1) algorithm.

      Parameter	Description
      Encryption Range	When the encryption algorithm is FPE (FF1), you can configure the Encryption Range. Options include Specify Range and All. Specify Range: Defines the start and end positions of the characters to be encrypted. The decryption configuration must be the same. Otherwise, the decrypted data may not match the original data. You can add a range using the slider or by direct input. You can add up to 10 ranges. Important Digits, English letters, Chinese characters, and symbols are each counted as 1 character. For example, the 3th character in "test" is 'e'. Add with slider: You can add a range by clicking or sliding. After you drag the slider to define a range, click OK in the dialog box that appears to add the range. If the range to be encrypted exceeds 24 characters, add the range by direct input. Add by direct input: Enter the Start Position, End Position, Range Length, and Encryption Dictionary in the input fields. For added ranges, you can View Encryption Dictionary, Edit Custom Encryption Dictionary, and Delete. Start Position: The start position of the encryption range. Range Length: Enter a positive integer >=1 or select a hyphen (-). A hyphen (-) indicates from the current start position to the end of the string. End Position: The end position of the encryption range. Enter a positive integer >=1 or select End of String. Encryption Dictionary: The dictionary used for the encryption range. The supported dictionaries are as follows: System-provided: Includes Numbers, Uppercase English letters, Lowercase English letters, Numbers + Uppercase English letters, Numbers + Lowercase English letters, Numbers + English letters, and Special symbols. Custom: In the Custom Encryption Dictionary dialog box, enter the encryption characters. Each encryption character must be a single character. Spaces are not supported. Duplicate characters are not supported. If you enter duplicate characters, the system automatically deduplicates them. You can enter up to 10,000 encryption characters. You can select the check boxes for space, line feed (\n), carriage return (\r), or tab character (\t) to use them as encryption characters. If you do not select any of these check boxes, characters such as \n are recognized as a separate \ and n. View Encryption Dictionary: For system-provided dictionaries. Click to view the encryption characters in the dictionary. Edit Custom Encryption Dictionary: For custom dictionaries. Click to edit the encryption characters in the dictionary. Delete: Click to delete the current range. All: Encrypts all characters in the field.
      Key	The key used for encryption. You can select any key that has been created for the selected encryption algorithm. For more information, see Register and manage keys. You can use keys for which you have permissions. If you do not have permissions, you must request them. For more information, see Request, renew, and return key permissions.
      Compatibility Issues	If the plaintext does not meet the algorithm requirements, the keys do not match, or the encoding formats are inconsistent, the plaintext data is processed based on the selected policy. The supported policies are Return Null and Return Plaintext.

11. Click OK to complete the configuration.