Configuring and using Tonic data encryption
Tonic data encryption requires a Professional or Enterprise license. It is not available on Tonic Cloud.
A common use case for custom processing is encrypted source data. The data might need to be decrypted before a generator is applied, and encrypted before it is saved to the destination database.
Tonic data encryption allows you to configure decryption and encryption to use during data generation. The data encryption process supports AES encryption, and allows you to use either the CBC, ECB, or CFB cipher modes.
When Tonic data encryption is enabled, the configuration panel for each column includes a toggle to use Tonic data encryption for that column.

Generator configuration panel with
data encryption setting
For columns that use both Tonic data encryption and a custom value processor:
- Decryption occurs before a pre-processing custom value processor.
- Encryption occurs after a post-processing custom value processor.
An admin user enables and configures the data encryption from the Data Encryption tab of the Admin Panel. To display the Admin Panel, in the Tonic heading, click Admin.
To use Tonic data encryption, you must provide:
- A Base64-encoded decryption key as the value of the
TONIC_DATA_DECRYPTION_KEY
environment variable. - A Base64-encoded encryption key as the value of the
TONIC_DATA_ENCRYPTION_KEY
environment variable.
Both key values must use the same key size - either 128, 192, or 256.
Tonic validates whether the values are set correctly. The Data Encryption tab indicates whether the keys are set correctly.
By default, Tonic data encryption is disabled. To enable it, toggle Enable Data Encryption to the on position.

Data Encryption tab on the Admin Panel
When you enable Tonic data encryption, you choose whether to use decryption, encryption, or both.
You use decryption if the source data is encrypted and must be decrypted before the generators are applied.
You use encryption to encrypt the transformed data before saving it to the destination database.
To use decryption only, select Use Decryption.
To use encryption only, select Use Encryption.
To both decrypt and encrypt data, select Use Decryption and Encryption.
Tonic only supports AES encryption. The AES Encryption setting shows the current key size.
The key size is based on the values you provided for the decryption and encryption key environment variables.
From the Cipher Mode dropdown list, select the cipher mode to use for Tonic data encryption. The available cipher modes are:
- CBC
- ECB
- CFB
Before it decrypts or encrypts data, Tonic applies an initialization vector. Under Initialization Vector (IV):
- To have Tonic generate a random initialization vector, select Randomly Generated.
- To provide a static initialization vector for Tonic to use:
- 1.Select Custom Provided Static IV.
- 2.In the Static IV field, enter the static initialization vector.
After it encrypts the destination data, but before it stores it, Tonic can prepend a string to the encrypted data.
To configure Tonic data encryption to prepend a string:
- 1.Toggle Prepend value to encrypted data to the on position.
- 2.In the Custom Value field, enter the string to prepend.
After you complete the configuration, the Preview Results panel allows you to test the decryption and encryption.
If the configuration is incomplete, you cannot run the test.
If the configuration is for decryption only:
- 1.In the Ciphertext field, enter an encrypted text string.
- 2.Click Run Test.
- 3.Verify that the text in the Plaintext Result field is correct.
If the configuration is for encryption only:
- 1.In the Plaintext field, enter an unencrypted text string.
- 2.Click Run Test.
- 3.Verify that the text in the Ciphertext Result field is correct.
If the configuration is for both decryption and encryption, then you provide an encrypted string. The test decrypts the string into plain text, then re-encrypts that string.
- 1.In the Ciphertext field, enter an encrypted text string.
- 2.Click Run Test.
- 3.Verify that the text in the Plaintext Result field and the Ciphertext Result field is correct.
To save the configuration, click Save.
To revert any changes since you last saved the configuration, click Revert.
Last modified 22h ago