Dataphin:Configure encryption transform widget

Procedure

1. On the Dataphin home page, navigate to the top menu bar and select Development > Data Integration.

2. At the top menu bar of the integration page, select Project (Dev-Prod mode requires selecting an environment).

3. In the left-side navigation pane, click Batch Pipeline. Then, in the Batch Pipeline list, click the offline pipeline you want to develop to access its configuration page.

4. Click Component Library in the upper right corner to open the Component Library panel.

5. In the Component Library panel's left-side navigation pane, select Transform. Locate the Encryption component in the list on the right and drag it onto the canvas.

6. Connect the target input component to the encryption component by clicking and dragging the icon.

7. To configure field encryption, click the icon on the encryption component card, which opens the Field Encryption Configuration dialog box.

8. In the Field Encryption Configuration dialog box, during the Select Field step, choose the fields to be synchronized by the upstream component. If the field name contains a table name, both will be displayed.

9. Click Next.

   Important

   • The selected fields will be encrypted and sent downstream, while other fields will retain their initial values and be transmitted as is.

   • Due to the additional resource consumption, it is advisable to encrypt only sensitive data.

   • Once encrypted, the data types of the fields will change to String type. Specify the Output Field Type when using a decryption component.

10. In the Encryption Configuration step, set the encryption parameters.

    Different encryption algorithms require specific configurations. Select the appropriate encryption algorithm for your needs and configure accordingly. For more information, see Description of Encryption and Decryption Algorithms.

    • Available encryption algorithms include AES, DES, 3DES, SM4, SM2, and RSA.

      Parameter	Description
      Key	The key used for encryption, selectable from all keys previously created under the chosen encryption algorithm. For more information, see Key Management. Keys that already have permissions can be used immediately, whereas keys lacking permissions necessitate a request for access. For additional details, see Request, Renew, and Return Key Permissions.
      Advanced Configuration	Advanced configuration is available for encryption algorithms such as AES, DES, 3DES, SM4, and RSA. It typically involves setting the data output encoding and other parameters. When exchanging data with external systems, ensure that the advanced configuration settings are consistent. Supported configuration options vary by encryption algorithm, as detailed below: Encryption Mode: Choose based on your specific business needs. Each algorithm supports various modes, including ECB, CBC, CFB, CTR, and OFB. Note that ECB mode does not require an offset (IV) configuration, and encryption/decryption settings must match. Padding: Three padding methods are supported: NoPadding, PKCS5Padding, and PKCS7Padding. Ensure that the padding mode is consistent for both encryption and decryption. The padding mode varies with the encryption algorithm; refer to the actual configuration page for specifics. Offset: Also known as IV, the offset must be a 16-digit number. Different IVs produce different encrypted strings, and the same IV must be used for both encryption and decryption. Encoding Format: Two encoding formats are supported: Base64 and Hex. For a comprehensive guide on the advanced settings available for each encryption algorithm, see Advanced Settings Range for Encryption and Decryption Algorithms. Specifically, when using the SM4 encryption algorithm with AnalyticDB PostgreSQL as the output target, it is advisable to select the Output Target Is AnalyticDB PostgreSQL configuration item to ensure that the encrypted data can be decrypted directly in AnalyticDB for PostgreSQL.

    • FPE Format-Preserving Encryption (FF1) Algorithm.

      Parameter	Description
      Encryption Range	When using the FPE Format-Preserving Encryption (FF1) encryption algorithm, you can configure the Encryption Range, which includes options for Specified Range and All. Specified Range: This defines the start and end positions for character encryption and must align with the decryption settings to ensure consistency with the original data. You can add up to 10 groups of ranges using either sliding or direct input methods. Important Each digit, English letter, Chinese character, and symbol is counted as 1 position. For instance, in "test," the 4th position is (t). Sliding Addition: Add intervals by either clicking or sliding the interval bar horizontally, then confirm by clicking OK in the dialog box. Use the direct input method for encrypting more than 24 characters. Direct Input Method: Input the Start Position, End Position, Interval Length, and Encryption Dictionary into the designated fields. This method allows you to View Encryption Dictionary, Edit Custom Encryption Dictionary, and Delete existing intervals. Start Position: The initial position for the encryption interval. Interval Length: Accepts entry of >=1 positive integers only, and allows the selection of a hyphen (-) to indicate a range from the current start position to the end position. End Position: The final position for the encryption interval, supporting >=1 positive integers or the selection of End Position. Encryption Dictionary: Choose from the following encryption dictionaries: System Built-in: Features categories such as Numbers, Uppercase English Letters, Lowercase English Letters, combinations like Numbers + Uppercase English Letters, Numbers + Lowercase English Letters, Numbers + English Letters, and Special Symbols. Custom: In the Custom Encryption Dictionary dialog box, enter the encryption characters. Each encryption character must be a single character. Spaces are not supported, and duplicates are not allowed (the system will automatically remove duplicates when duplicate characters are entered). You can enter up to 10,000 encryption characters. You can select spaces, line feeds (\n), carriage returns (\r), or tab characters (\t) as encryption characters. If no characters are selected, when you directly enter characters like \n, the system will detect them as separate \ and n. View Encryption Dictionary: To examine the characters in a System Built-in Encryption dictionary, click . Edit Custom Encryption Dictionary: To modify Custom Encryption dictionaries, click and edit the dictionary's encryption characters. Delete: Remove an interval by clicking . All: Encrypts every character within the field.
      Key	The key used for encryption is selectable from the array of keys that have been created under the chosen encryption algorithm. For more information, see Key Management. Keys that you have permission to use can be utilized immediately, whereas keys that lack permissions necessitate a permission request. For more information, see Request, Renew, and Return Key Permissions.
      Abnormal Compatibility	In cases where plaintext does not comply with encryption algorithm standards, encryption and decryption keys do not match, or encoding formats are inconsistent, the system processes the plaintext according to the chosen policy. This includes options to Return Empty Value or Return Plaintext.

11. To finalize the configuration for the Field Encryption Configuration component, click OK.