Datetime (YYYY-MM-DD HH:MM:SS)

Details about the Datetime (YYYY-MM-DD HH:MM:SS) token type.

The Datetime token type was introduced in response to requirements to allow specific date parts to remain in the clear and for date tokens to be distinguishable from real dates. The Datetime token type allows time to be tokenized (HH:MM:SS) in fractions of a second, including milliseconds (MMM), microseconds (mmmmmm), and nanoseconds (nnnnnnnnn).

Table: Datetime Tokenization Type properties


Tokenization Type Properties

Settings

Name

Datetime

Token type and Format

Datetime in the following formats:

YYYY-MM-DD HH:MM:SS.MMM

YYYY-MM-DDTHH:MM:SS.MMM

YYYY-MM-DD HH:MM:SS.mmmmmm

YYYY-MM-DDTHH:MM:SS.mmmmmm

YYYY-MM-DD HH:MM:SS.nnnnnnnnn

YYYY-MM-DDTHH:MM:SS.nnnnnnnnn

YYYY-MM-DD HH:MM:SS

YYYY-MM-DDTHH:MM:SS

YYYY-MM-DD

Input separators "delimiter" between date, month and year

dot ".", slash "/", or dash "-"

Input separators "delimiter" between hours, minutes and seconds

colon ":" only

Input separator "delimiter" between date and hour

space " " or letter "T"

Input separator "delimiter" between seconds and milliseconds

For DATE datatype dot "."

For CHAR, VARCHAR, and STRING datatypes dot "." and comma ","

Tokenizer

Length Preservation

Minimum Length

Maximum Length

SLT_DATETIME

Yes

10

29

Possibility to set Minimum/ maximum length

No

Left/Right settings

No

Internal IV

No

External IV

No

Return of Protected value

Yes

Token specific properties

Tokenize time

Yes/No

Distinguishable date

Yes/No

Date in clear

Month/Year/None

Supported range of input dates

From "0600-01-01" to "3337-11-27"

Non-supported range of Gregorian cutover dates

From "1582-10-05" to "1582-10-14"

The Tokenize Time property defines whether the time part (HH:MM:SS) will be tokenized. If Tokenize Time is set to “No”, the time part will be treated as a delimiter. It will be added to the date after tokenization.

The Distinguishable Date property defines whether the tokenized values will be outside of the normal date range.

If the Distinguishable Date option is enabled, then all tokenized dates will be in the range from year 5596-09-06 to 8334-08-03. The tokenized value will become recognizable. As an example, tokenizing “2012-04-25” can result in “6457-07-12”, which is distinguishable.

If the Distinguishable Date option is disabled, then the tokenized dates will be in the range from year 0600-01-01 to 3337-11-27. As an example, tokenizing “2012-04-25” will result in “1856-12-03”, which is non-distinguishable.

The Date in Clear property defines whether Month or Year will be left in the clear in the tokenized value.

Note: You cannot use enabled Distinguishable Date and select month or year to be left in the clear at the same time.

The following points are applicable when you tokenize the Dates with Year as 3337 by setting the Year part to be in clear:

  • The tokenized Date value can be outside of the accepted Date range.
  • The tokenized Date value can be de-tokenized to obtain the original Date value.

For example, if the Date 3337-11-27 is tokenized by setting the Year part 3337 in clear, then the resultant tokenized value 3337-12-15 is outside of the accepted Date range. The detokenization of this tokenized value returns the original Date 3337-11-27.

The following table shows examples of the way in which a value will be tokenized with the Datetime token.

Table: Examples of Tokenization for DateTime Values

Input ValuesTokenized ValuesComments
2009.04.12 12:23:34.3331595.06.19 14:31:51.333YYYY-MM-DD HH:MM:SS.MMM. The milliseconds value is left in the clear.
2009.04.12 12:23:34.3336661595.06.19 14:31:51.333666YYYY-MM-DD HH:MM:SS.mmmmmm. The microseconds value is left in the clear.
2009.04.12 12:23:34.3336669991595.06.19 14:31:51.333666999YYYY-MM-DD HH:MM:SS.nnnnnnnnn. The nanoseconds value is left in the clear.
2009.04.12 12:23:341595.06.19 14:31:51YYYY-MM-DD HH:MM:SS with space separator between day and hour.
2234.10.12T12:23:232755.08.04T22:33:43YYYY-MM-DDTHH:MM:SS with T separator between day and hour values.
2009.04.12 12:23:34.3335150.05.14T17:49:34.333Datetime with distinguishable date property enabled and the year value is outside the normal date range.
2234.12.22 22:53:342755.03.15 19:03:21Datetime token in any format with distinguishable date property enabled and the year value is within the normal date range in the tokenized output.
2009.04.12 12:23:34.3331595.04.19 14:31:51.333Datetime token with month in the clear.
2009.04.12 12:23:34.3332009.06.19 14:31:51.333Datetime token with year in the clear.

Datetime Tokenization for Cutover Dates of the Proleptic Gregorian Calendar
The data systems, such as, Oracle or Java-based systems, do not accept the cutover dates of the Proleptic Gregorian Calendar. The cutover dates of the Proleptic Gregorian Calendar fall in the interval 1582-10-05 to 1582-10-14. These dates are converted to 1582-10-15. When using Oracle, conversion occurs by adding ten days to the source date. Due to this conversion, data loss occurs as the system is not capable to return the actual date value after the de-tokenization.

Note: The tokenization of the Date values in the cutover Date range of the Proleptic Gregorian Calendar results in an “Invalid Input” error.

The following points are applicable when the Distinguishable Date option is disabled:

  • If the Distinguishable Date option is disabled, then the tokenized dates are in the range 0600-01-01 to 3337-11-27, which also includes the cutover date range. During tokenization, an internal validation is performed to check whether the value is tokenized to the cutover date. If it is a cutover date, then the Year part (1582) of the tokenized value is converted to 3338 and then returned.
  • During de-tokenization, an internal check is performed to validate whether the Year is 3338. If the Year is 3338, then it is internally converted to 1582.

The following points are applicable when you tokenize the dates from the Year 1582 by setting the Year part to be in clear:

  • The tokenized value can result in the cutover Date range. In such a scenario, the Year part of the tokenized Date value is converted to 3338.
  • During de-tokenization, the Year part of the Date value is converted to 1582 to obtain the original date value.

For example, if the date 1582.04.30 12:12:12 is tokenized by setting the Year part in clear and the resultant tokenized value falls in the cutover Date range, then the Year part is converted to 3338 resulting in a tokenized value as 3338.10.10 12:12:12. The de-tokenization of this tokenized value returns the original Date 1582.04.30 12:12:12.

Note:
The tokenization accepts the date range 0600-01-01 to 3337-11-27 excluding the cutover date range.
The de-tokenization accepts the date range 0600-01-01 to 3337-11-27 and date values from the Year 3338. The year 3338 is accepted due to our support for tokenized value from the cutover date range.

Consider a scenario where you are migrating the protected data from Protector 1 to Protector 2. The Protector 1 includes the Datetime tokenizer update to process the cutover dates of the Proleptic Gregorian Calendar as input. The Protector 2 does not include this update. In such a scenario, an “Invalid Date Format” error occurs in Protector 2, when you try to unprotect the protected data as it fails to accept the input year 3338. The following steps must be performed to mitigate this issue:

  1. Unprotect the protected data from Protector 1.
  2. Migrate the unprotected data to Protector 2.
  3. Protect the data from Protector 2.

Time zone Normalization for Datetime Tokens
The Datetime tokenizer does not normalize the timestamp with respect to the timezone before protecting the data.

In a few Protectors, the timezone normalization is done by the APIs that are used by the Protectors to retrieve the timestamp. However, this behavior can also be configured.

There are differences in handling timestamps. Therefore, you cannot rely on Datetime tokens for migration or transfer to different systems or timezones.

So, before migrating the Datetime tokens, ensure that the timestamps are normalized for timezones so that unprotecting the token value returns the original expected value.

Datetime Tokenization Properties for different protectors

Application Protector

The following table shows supported input data types for Application protectors with the Datetime token.

Table: Supported input data types for Application protectors with Datetime token

Application Protectors*2AP Java*1AP Python
Supported input data typesDATE

STRING

CHAR[]

BYTE[]		DATE

BYTES

STRING

*1 - The API accepts and returns data in BYTE[] format. The customer application needs to convert the input into byte arrays before calling the API, and similarly, convert the output from byte arrays after receiving the response from the API.

*2 - The Protegrity Application Protectors only support bytes converted from the string data type. If int, short, or long format data is directly converted to bytes and passed as input to the Application Protector APIs that support byte as input and provide byte as output, then data corruption might occur.

For more information about Application protectors, refer to Application Protector.

Big Data Protector

Protegrity supports MapReduce, Hive, Pig, HBase, Spark, and Impala, which utilizes Hadoop Distributed File System (HDFS) or Ozone as the data storage layer. The data is protected from internal and external threats, and users and business processes can continue to utilize the secured data. Protegrity protects data inside the files using tokenization and strong encryption protection methods.

The following table shows supported input data types for Big Data protectors with the Datetime token.

Table: Supported input data types for Big Data protectors with Datetime token

Big Data ProtectorsMapReduce*2HivePigHBase*2ImpalaSpark*2Spark SQLTrino
Supported input data types*1BYTE[]STRING

DATETIME		CHARARRAYBYTE[]STRINGBYTE[]

STRING		STRING

DATETIME		TIMESTAMP

*1 – If the input and output types of the API are BYTE [], the customer application should convert the input to a byte array. Then, call the API and convert the output from the byte array.

*2 – The Protegrity MapReduce protector, HBase coprocessor, and Spark protector only support bytes converted from the string data type. Data types that are not bytes converted from the string data type might cause data corruption to occur when:

  • Any other data type is directly converted to bytes and passed as input to the MapReduce or Spark API that supports byte as input and provides byte as output.
  • Any other data type is directly converted to bytes and inserted in an HBase table. Where the HBase table is configured with the Protegrity HBase coprocessor.

For more information about Big Data protectors, refer to Big Data Protector.

Data Warehouse Protector

The Protegrity Data Warehouse Protector is an advanced security solution designed to protect sensitive data at the column level. This enables you to secure your data, while still permitting access to authorized users. Additionally, the Data Warehouse Protector integrates seamlessly with existing database systems using the User-Defined Functions for an enhanced security. Protegrity protects data inside the data warehouses using various tokenization and encryption methods.

The following table shows the supported input data types for the Teradata protector with the Datetime token.

Table: Supported input data types for Data Warehouse protectors with Datetime token

Data Warehouse ProtectorsTeradata
Supported input data typesVARCHAR LATIN

For more information about Data Warehouse protectors, refer to Data Warehouse Protector.

Database Protectors

Oracle Database Protector

The supported input data types for the Oracle Database Protector are listed below.

ProtectorSupported Input Data Types
OracleDATE
OracleVARCHAR2
OracleCHAR

Last modified : January 20, 2026