Skip to main content Skip to complementary content

tDataEncrypt

Protects data by transforming it into unreadable cipher text.

Information noteImportant: The minimum required Java version for this component is Java 8u161.
Encrypting the cipher text and reading the original data require either:
  • A user-defined password and a cryptographic file.
  • A 256-bit secret key encoded with base64.
    You can get the 256-bit key using:
    • Online tools
    • OpenSSL: openssl rand -base64 32
To decrypt the data, you will need the secret key or the password with the cryptographic file.

In local mode, Apache Spark 2.4.0 and later versions are supported.

This component is not shipped with your Talend Studio by default. You need to install it using the Feature Manager. For more information, see Installing features using the Feature Manager.

Why encrypting data?

Encryption is used to protect your assets, your organization, or customers' sensitive data. Encryption can protect data from internal or external leakage.

In big data environments, large volumes of data from many sources are collected, manipulated, and stored in various formats. Encryption helps reduce the risk of sensitive data exposure.

Encryption is also recommended or required for compliance with data protection laws.

Considerations for data encryption

  • Define the type of the data to be protected: data in transit or data at rest.
  • Identify the scope of the data to be protected: purpose, ownership, access, etc.
  • Provide strong passwords for the cryptographic file.
  • Do not reuse passwords for different data encryption operations.
  • Store passwords in a secure password management system.
  • Store the secret key in a secure system.
  • Make sure only authorized users get access to the password and the cryptographic file necessary to decrypt back data.
  • Strong encryption methods generally increase required resources.
  • Separate the cryptographic file from the encrypted data to keep your data secure.
  • It is advised to use different cryptographic files to encrypt different datasets.
  • Data encryption is not a complete security approach. Combining different security layers help address concerns about sensitive data. Security layers include vulnerability assessment and management or anti-malware solutions.

Data encryption methods

The tDataEncrypt component encrypts data using the AES-GCM and Blowfish encryption methods:
AES-256 Blowfish
GCM mode of operation CBC mode of operation
Uses a randomly generated 256-bit key Uses a randomly generated 256-bit key
Integrity check No integrity check
Faster on modern CPUs Computationally faster
Patented Unpatented
Standardized by the National Institute of Standards and Technology (NIST) -
Used by SSL/TLS -

The data encryption process

When you use a cryptographic file, the data encryption process includes the following steps:
  1. Generating the cryptographic file. It contains:
    • A randomly generated salt used to derive a cryptographic key from the user-defined password using the PBKDF2 key derivation function.
    • A randomly generated 256-bit key encrypted with AES and the user-defined password.
    • The encryption method encrypted with AES and the user-defined password.
  2. Accessing the encrypted data from the cryptographic file by:
    1. Using the randomly generated salt to derive the cryptographic key from the user-defined password.
    2. Using the cryptographic key and the AES method to decrypt the randomly generated 256-bit key and the encryption method.

    During the decryption, if the password is correct, the component can access the encryption method and the randomly generated 256-bit key. Otherwise, the access is denied.

  3. Encrypting the data using:
    • The randomly generated 256-bit key from the cryptographic file
    • The encryption method
    • A random initialization vector (IV) generated for each data

Did this page help you?

If you find any issues with this page or its content – a typo, a missing step, or a technical error – please let us know!