Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

In the Data Masking profile, you configure the masking method you want to use, which UDR types and fields you want to mask/unmask, and any masking method-specific settings.

There are four different masking methods that you can use:

  • Crypto - Uses cryptographic algorithm that can be configured to either derive its key from a passphrase or a Keystore. It uses either AES-128 or AES-256 for data encryption. The data can be unmasked later when required. 

  • Database - Enables data model masking to store masked and unmasked data. The data can be unmasked later when required.

  • Hash (one way) - Employs a salt-based encryption scheme for obscuring data only. All masked data using this method cannot be unmasked.

  • Hash/Database - Uses a combination of the database and hash mode. The data can be unmasked later when required. 

For more information on the supported data types, see Supported Data Types.

Configuration

To create a new Data Masking profile, click the New Configuration button from Build View, and then select Data Masking Profile from the selection screen.

The contents of the buttons bar may change depending on which configuration type has been opened in the currently displayed tab. The Data Masking profile uses the standard menu items and buttons that are visible for all configurations, and these are described in Common Configuration Buttons.

The Edit button content is specific to the Data Masking profile configurations.

The Data Masking profile consists of the following tabs:

Table of Contents
minLevel2
maxLevel2
outlinefalse
typelist
printablefalse

Fields Tab

The masking method that is selected in the Fields tab determines which of the other four tabs that will be active as these tabs contain masking method specific configurations. 

The Fields tab in the Data Masking profile configuration contains the following settings:

...

Setting

Description

Masking Method

Select the masking method to be used from the drop-down list.

Storage Fields

Add the fields to map the UDR fields to.

This section is only applicable to Database Storage and Hash/Database masking methods.

UDR Field Mappings

Add all the UDR types and fields for the profile to process.

Random Algorithm (Only for String type)

Specify the algorithm to be used for generating the random character.

The supported algorithms are:

  • Default: Default random algorithm. For Crypto, it only supports Base64 format where the Hash or Database are using mixture of alphanumeric and special characters. The supported characters list are: 

    Code Block
    [!, ", #, $, %, &, ', (, ), *, +, ,, -, ., /, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, :, ;, <, =, >, ?, @, A, B, C, D, E, F, G, H, I, J, K, L, M, N, O, P, Q, R, S, T, U, V, W, X, Y, Z, [, \, ], ^, _, `, a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p, q, r, s, t, u, v, w, x, y, z, {, |, }, ~]
  • UUID 4: Generate UUID string in 8-4-4-4-12 format xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

  • Custom: Filtered character based on Default character sets, filter condition can be configured through Regex Pattern

For more information on the algorithms for each masking method, see Supported Random Algorithm Type.

This section is only applicable to Database Storage, Hash and Hash/Database masking methods. This section is disabled if other masking method is selected.

Regex Pattern

This is field is enabled when the Custom option is selected. It is a regular expression to extract characters based on the default characters list.

String Length

This is field is enabled when the Custom option is selected. Specify the length of the output string.

Output Format

This field is non-editable. It displays the supported character list and sample output preview.

Anchor
algorithm_type
algorithm_type
Supported Random Algorithm Type

The supported random algorithm types for each masking method are as follows:

Algorithm

Crypto

Database

Hash

Hash/Database

Default

(tick)

(tick)

(tick)

(tick)

UUID 4

(error)

(tick)

(error)

(tick)

Custom

(error)

(tick)

(tick)

(tick)

Crypto Tab

This tab is enabled only when the Crypto masking method is selected in the Fields tab. 

...

Setting Description

Description

Cipher Mode

Cipher Mode to use.

The two modes CTR and GCM are non-deterministic in the sense that they will give different outputs for the same input. This means that it will not be possible to correlate data from separate UDRs, but if this is not a requirement then it gives a more complete anonymization.

The CBC mode is deterministic and can be used when correlation must be possible on pseudonymized data. It includes a transposition scrambling to protect against prefix matching.

The ECB mode is not recommended since it allows for prefix and suffix matching and thus gives weaker security than the CBC mode. It is only included for backwards compatibility.

Derive Key from Passphrase

Select this option for the cryptographic engine to use a key from the passphrase. The Passphrase and Algorithm fields will be enabled.

Passphrase

Enter a passphrase manually or click the Random button to generate a random key. The passphrase is then hashed and it is use as the key.

If you use a random passphrase and it has been changed, you will not be able to unmask any masked data prior to the change.

Algorithm

Select the algorithm to be used, either the AES-128 or AES-256.

This can only be used for fields of string and bytearray types.

Read Key from Keystore

Select this option to use a key from a designated keystore. The keystore must be a JCEKS. The Keystore PathKeystore PasswordKey Name and Key Password fields will be enabled.

Example - Creating a symmetric crypto key

Code Block
$ keytool -keystore test.ks -storepass password -storetype jceks -genseckey -keysize 128 -alias testkey -keyalg AES

Keystore Path

Enter the path to the keystore file.

Keystore Password

Enter the associated password.

Key Name

This field is optional. Enter the associated key name.

Key Password

This field is optional. Enter the associated key password if required, otherwise the Keystore Password is used as the default password.

Database Tab

This tab is enabled only when the Database Storage masking method is selected in the Fields tab. 

...

Setting

Description

Database Model

Database

Browse and select the Database profile to use.

Table

Select the database table to view the following information:

  • Field: Shows the field name

  • Unmasked: Shows the unmasked content

  • Masked: Shows the masked content

  • Key: The selected checkbox shows the fields that will be searched when unmasking data.

    If you have a large table or huge amount of lookups, you may consider to select the necessary fields only for searching when unmasking data

Advanced

Queue Size 

Set the queue size for the workers. The queue size will be split between the workers.

Max Number of Workers 

Enter the maximum number of workers.

Max Select Batch Size

Enter the maximum size of the batch when making large select statements to retrieve data.

Hash Tab

This tab is enabled only when the Hash masking method is selected in the Fields tab. 

...

Setting

Description

Salt

Enter the entry of the relevant hash or click the Random button to generate a random entry.

Hash/Database Tab

This tab is enabled only when the Hash/Database masking method is selected in the Fields tab. 

...

Setting

Description

Data Model

Database

Browse and select the Database profile to use.

Table

Select the database table to view the following information:

  • Field: Shows the field name

  • Unmasked: Shows the unmasked content

  • Masked: Shows the masked content

  • Key: The selected checkbox shows the fields that will be searched when unmasking data.

    If you have a large table or huge amount of lookups, you may consider to select the necessary fields only for searching when unmasking data

Hash

Salt

Enter the entry of the relevant hash or click the Random button to generate a random entry.

Advanced

Queue Size 

Set the queue size for the workers. The queue size will be split between the workers.

Max Number of Workers

Enter the number of workers.

Max Select Batch Size

Enter the maximum size of the batch when making large select statements to retrieve data.

Anchor
data_types
data_types
Supported Data Types

The supported data types for each masking method are as follows:

Data type

Crypto

Database

Hash

Hash/Database

string

(tick)

(tick)

(tick)

(tick)

integer

(error)

(tick)

(tick)

(tick)

long

(error)

(tick)

(tick)

(tick)

short

(error)

(tick)

(tick)

(tick)

double

(error)

(tick)

(tick)

(tick)

byte

(error)

(tick)

(tick)

(tick)

bytearray

(tick)

(tick)

(error)

(error)