# Configuring and using Structural data encryption {% hint style="info" %} **Required license:** Professional or Enterprise Not available on Tonic Structural Cloud. **Required global permission:** Configure Tonic Structural data encryption {% endhint %} ## About Structural data encryption A common use case for custom processing is encrypted source data. The data might need to be decrypted before a generator is applied, and encrypted before it is saved to the destination database. Structural data encryption allows you to configure decryption and encryption to use during data generation. The data encryption process supports AES encryption, and allows you to use either the CBC, ECB, or CFB cipher modes. When Structural data encryption is enabled, the advanced options section of the configuration panel includes a toggle to use Structural data encryption for that column.

Generator configuration panel with
data encryption setting

For columns that use both Structural data encryption and a custom value processor: * Decryption occurs before a pre-processing custom value processor. * Encryption occurs after a post-processing custom value processor. You enable and configure the data encryption from the **Data Encryption** tab of **Structural Settings** view. To display **Structural Settings** view, in the Structural heading, click **Structural Settings**. ## Setting the encryption key environment settings To use Structural data encryption, you must provide: * A Base64-encoded decryption key * A Base64-encoded encryption key Both key values must use the same key size - either 128, 192, or 256. To provide the encryption and decryption keys for your instance, use the following [environment settings](https://docs.tonic.ai/app/admin/environment-variables-setting): * `TONIC_DATA_DECRYPTION_KEY` * `TONIC_DATA_ENCRYPTION_KEY` You can set these values from the **Environment Settings** tab on **Structural Settings**. By default, Structural uses these keys for all workspaces. You can override these keys in individual workspaces. You configure the decryption and encryption keys for a workspace in the [advanced override settings](https://docs.tonic.ai/app/workspace/managing-workspaces/workspace-configuration-settings/advanced-overrides). ## Enabling Structural data encryption By default, Structural data encryption is disabled. To enable it, toggle **Enable Data Encryption** to the on position.

Data Encryption tab on Structural Settings view

## Choosing whether to decrypt, encrypt, or both When you enable Structural data encryption, you choose whether to use decryption, encryption, or both. You use decryption if the source data is encrypted and must be decrypted before the generators are applied. You use encryption to encrypt the transformed data before it is saved to the destination database. To use decryption only, select **Use Decryption**. To use encryption only, select **Use Encryption**. To both decrypt and encrypt data, select **Use Decryption and Encryption**. ## Viewing the AES encryption key size Structural only supports AES encryption. The **AES Encryption** setting shows the current key size. The key size is based on the values that you provided for the decryption and encryption key environment settings. ## Selecting the cipher mode From the **Cipher Mode** dropdown list, select the cipher mode to use for Structural data encryption. The available cipher modes are: * CBC * ECB * CFB ## Configuring the initialization vector Before it decrypts or encrypts data, Structural applies an initialization vector. By default, Structural generates a random initialization vector, and **Use custom Initialization Vector (IV)** is in the off position. To provide custom initialization vectors for Structural to use: 1. Toggle **Use custom Initialization Vector (IV)** to the on position. 2. If the Structural data encryption configuration includes encryption, then in the **Encryption IV** field, enter the static initialization vector to use to encrypt data. 3. If the Structural data encryption configuration includes decryption, then in the **Decryption IV** field, enter the static initialization vector to use to decrypt data. ## Providing a prepend value for encryption After it encrypts the destination data, but before it stores it, Structural can prepend a string to the encrypted data. To configure Structural data encryption to prepend a string: 1. Toggle **Prepend value to encrypted data** to the on position. 2. In the **Custom Value** field, enter the string to prepend. ## Testing the data encryption After you complete the configuration, the **Preview Results** panel allows you to test the decryption and encryption. If the configuration is incomplete, you cannot run the test. ### Testing decryption only If the configuration is for decryption only: 1. In the **Ciphertext** field, enter an encrypted text string. 2. Click **Run Test**. 3. Verify that the text in the **Plaintext Result** field is correct. ### Testing encryption only If the configuration is for encryption only: 1. In the **Plaintext** field, enter an unencrypted text string. 2. Click **Run Test**. 3. Verify that the text in the **Ciphertext Result** field is correct. ### Testing both decryption and encryption If the configuration is for both decryption and encryption, then you provide an encrypted string. The test decrypts the string into plain text, then re-encrypts that string. 1. In the **Ciphertext** field, enter an encrypted text string. 2. Click **Run Test**. 3. Verify that the text in the **Plaintext Result** field and the **Ciphertext Result** field is correct. ## Saving or reverting the Structural data encryption configuration To save the configuration, click **Save**. To revert any changes since you most recently saved the configuration, click **Revert**.