• About Us

  • Blog
  • Contact
Blog Encryption Protect Your Data With Format Preserving Encryption


July 12 2023


Table of Contents

Protect Your Data With Format Preserving Encryption

Encryption of information has become part of our modern digital life. However, when using classical cryptography, there is a problem with data recording. In this article, we looked at innovative approaches that are often found in protecting information without violating its structure and format.

What Is Format Preserving Encryption (FPE)?

Format-preserving encryption is a method that allows you to securely encrypt data while preserving its original structure and format. Traditional encryption algorithms convert data into an unreadable form, which can make it difficult to further process and use it especially with legacy applications.

However, with the advent of new technologies and the development of specialized encryption algorithms, it has become possible to ensure the deterministic security of data without violating their format. This is important in many areas, including the field of communications, information storage and data processing when implementing retrofitting security.

Format-preserving encryption methods are usually based on a combination of data compression algorithms and cryptographic transformations. They allow you to protect information by converting it into a special ciphertext that remains readable only by authorized users or when using a special key.

This approach to format-preserving encryption provides usability and processing advantages without making significant changes to the structure of the data. This makes it especially useful in cases where it is necessary to ensure the security of information without violating its original format and functionality, for example to secure legacyapplications.

FPE on the Cloud

With the development of cloud technologies, more and more organizations and users are turning to cloud storage for convenient and flexible storage of their data. However, the security and privacy of information remains a priority when using cloud services. Format-preserving encryption in the cloud becomes the solution to these problems.

Cloud Format Preserving Encryption provides the ability to encrypt data before sending it to cloud storage while preserving its original format. This allows you to ensure the confidentiality of information, even if it is stored in an insecure cloud or transmitted over untrusted communication channels.

One approach to format-preserving encryption in the cloud is to use client-side encryption. The user’s FPE encryptsthe data on his device before sending it to the cloud, and only he has access to the decryption. This provides reliable data protection, even if the cloud provider is under attack or unauthorized access.

This cloud-preserving encryption approach combines the convenience of cloud services with the strength of encryption, ensuring that information is stored and transmitted securely in the cloud. This is especially important for organizations that process sensitive data and strive to comply with appropriate security standards.

Benefits of FPE

Format-preserving encryption is an innovative approach to data protection that offers a number of significant benefits. Here are some of the main benefits that this approach provides:

Preserve data structure: Format-preserving encryption preserves the original structure and format of the plaintext, making it convenient and easy to use. Users can continue to work with data without wasting time decrypting it or restoring its original format.

Security and privacy: Format-preserving encryption provides a high level of data security and privacy. Even in the event of unauthorized access or information leakage, it will be difficult for attackers to gain access to readable data without the appropriate key or authorization.

Flexibility and compatibility: Format-preserving encryption is usually based on standard algorithms and protocols, which ensures compatibility with various platforms and applications. This allows you to effectively use secure data in various environments and interact with other systems.

Security Compliance: Format-preserving encryption enables organizations and users to comply with legal or industry-standard data security requirements. This is important to protect sensitive information, including personal customer data and trade secrets.

Format-preserving encryption combines the benefits of protecting data and preserving its original format, providing security, usability, and interoperability across systems and platforms.

Example FPE Use Cases

Format-preserving encryption is widely used in many areas where data security and structure preservation play an important role. Here are some examples of using this approach:

Protecting sensitive corporate information: Companies can use format-preserving encryption to protect sensitive data such as financial statements, client lists, internal documents, and other sensitive information. This allows you to maintain the confidentiality of information without violating its availability to authorized employees.

Secure Cloud Storage: Cloud users can take advantage of format-preserving encryption to protect their data while it is in transit and stored in the cloud. This approach guarantees confidentiality and protection from unauthorized access, while maintaining the convenience of working with data through cloud applications and services.

Secure network transmission: Format-preserving encryption can be used to protect data as it travels over a network, especially when the format of the data is an important aspect of its use. Examples would be the transmission of medical records, financial transactions or other sensitive data where format retention is an integral part of their subsequent processing and analysis.

FPE Vendors and NIST Modes

Many vendors offer FPE in their products and services, including Entrust, Thales, HashiCorp, Futurex and others. Their FPE implementations are based on the NIST published Special Publication 800-38G, DRAFT Recommendation for Block Cipher Modes of Operation: Methods for Format-Preserving Encryption. Three methods are specified in this publication: FF1, FF2, and FF3. Each is a format-preserving, Feistel-based mode of operation of the Advanced Encryption Standard AES block cipher.  Details of these, as well as patent and test kit information, can be found on the NIST Block Cipher Modes Development website.

  1. FF1 is FFX “Format-preserving Feistel-based Encryption Mode”. It was presented at NIST by Mihir Ballar of UC San Diego, Philip Rogaway of UC Davis, and Terence Spice of Voltage Security Inc. The test kit is provided and parts of it are patented.
  2. FF2 is a VAES3 schema for FFX: An addendum to “The FFX Mode of Operation for Preserving Encryption.” It was presented at NIST by Joachim Vance of VeriFone Systems Inc. A test suite is not provided, unlike FF1, and parts of it are patented.
  3. FF3 is a BPS named after its authors. It was presented at NIST by Eric Braer, Thomas Pyrin, and Jacques Stern of Ingenico, France. The test kit is not provided or patented.

FPE vs. Tokenization

Format-preserving encryption and tokenization are two different approaches to data protection that have their own characteristics and advantages. However, both complement each other and can be used in a mixed approach called Format-Preserving Tokenization.

For example, if the system is dealing with strictly formatted 16-digit numbers like a credit card number, FPE preserves the length of 16 digits and character set (numeric) of an input for legacy system support. However, if strict formatting isn’t required like in the Card Holder’s Name column, then tokenization is preferred because it is a stronger authentication method.  

Here are a few key differences between FPE and Tokenization:

  1. Purpose: Format-preserving encryption focuses on protecting data by encrypting it while preserving its original format. Tokenization, on the other hand, replaces the original data with unique identifiers (tokens), which provides anonymity and prevents their direct identification.
  2. Ease of use: Format-preserving encryption preserves the original structure and format of the data, making it convenient and easy to work with. While tokenization replaces data with tokens, which can complicate the processing and use of data without additional steps to decrypt it.
  3. Level of security: Both approaches provide data security, but with different levels of privacy. Format-preserving encryption keeps data private by requiring a key to decrypt it. While tokenization ensures the anonymity of the data, not allowing them to be directly identified, even with access to tokens.
  4. Application: Format-preserving encryption is widely used in the field of data storage and transmission, where it is important to preserve their original format for further processing. Tokenization is often used in the processing of personal data, where anonymization of data is required to comply with regulatory requirements.

What Is Happening With the FPE Methods?

As technology advances and data security requirements increase, modern format-preserving encryption techniques have become more powerful and efficient. Here are a few current NIST standards related to this area:

NIST SP 800-38F: This standard defines a hybrid encryption mode that preserves the format of data when it is encrypted. It is recommended to protect sensitive data by preserving its original format and ensuring strong encryption.

NIST SP 800-38G: This standard provides a format-preserving encryption technique specifically designed to protect data in transparent encryption mode. It defines algorithms and protocols that allow the original data structure to be preserved when encrypted and decrypted.

NIST SP 800-38H: This standard describes an authenticated format-preserving encryption mode. It proposes a technique that ensures not only the confidentiality of data, but also the integrity of its format, which allows you to trust the data when it is encrypted and transmitted.

State-of-the-art NIST standards for format-preserving encryption techniques ensure data is reliable, secure, and interoperable. They are the basis for the development and implementation of encryption solutions that preserve the original data format while protecting it and ensure compliance with security requirements.

Risks and Implications for Organizations

Format-preserving encryption can be more computationally intensive than conventional encryption. Processing data in its original format requires additional computing resources, which can lead to an increase in time and costs for encryption and decryption operations.

Preserving the data format during encryption can introduce additional difficulties in ensuring their security. Incorrectly implemented or vulnerable data formats can become the target of attacks that threaten the confidentiality and integrity of information.

Format-preserving encryption requires appropriate support and integration into existing systems and applications. This can lead to difficulties when implementing new solutions and interacting with different platforms and devices.

Encryption key management is an important aspect of data security. Format-preserving encryption introduces additional complexities in key management to ensure data access and security.

Next Steps for Organizations Currently Using Format-Preserving Technologies

One important aspect is conducting regular security audits to evaluate the effectiveness of the format-preserving technologies in place. These audits should encompass a thorough review of FPE algorithms, key management practices, and overall security controls to identify any potential vulnerabilities or areas for improvement.

Staying up-to-date with the latest standards and best practices in format-preserving encryption is crucial. It is essential to remain informed about updates from reputable organizations such as NIST and industry forums to ensure that encryption methods align with the most current guidelines and recommendations.

Another important consideration is the classification of data based on sensitivity. By categorizing data and establishing appropriate encryption policies, organizations can tailor their encryption approaches to meet the regulatory and compliance requirements specific to each data category.

Investing in employee training and education about format-preserving encryption is vital. Ensuring that employees have a solid understanding of encryption protocols, key management practices, and the significance of safeguarding sensitive data can significantly contribute to a robust security posture.


In conclusion, format-preserving encryption provides organizations with a valuable approach to protect sensitive data while maintaining its original format. By implementing regular security audits, staying updated on standards, classifying data, providing employee training, and developing a robust incident response plan, organizations can enhance their security posture and mitigate potential risks. Helenix has wide expertise in secure programming and develops cryptographic solutions for a variety of business needs. You can learn more about us in the Custom Development section.


Format preserving encryption is designed to provide security for sensitive data while preserving its original format. When implemented correctly and combined with strong key management practices, format preserving encryption can be considered safe.

The main difference lies in the preservation of the original format. While encryption transforms data into an unreadable format, format preserving encryption ensures that the encrypted data retains the same format, allowing for seamless integration and processing.

An example of format preserving encryption is the FFX mode of encryption, which allows for the encryption of data while maintaining its original format. It is commonly used in scenarios where preserving the format of data is essential, such as credit card or social security number encryption.