Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

In the Data Masking profile, you configure the masking method you want to use, which UDR types and fields you want to mask/unmask, and any masking method-specific settings.

...

Setting
Description

Masking Method

In this drop-down list, you select which masking method you want to use;:.

- Crypto - which uses either AES-128 or AES-256 encryption. Can only be used for fields of string or bytearray types.

- Database Storage - which stores the unmasked and masked data in a database. Can be used for fields of byte, double, int, string, long, and short types. When selecting Database, Oracle, Postgres, and SAP HANA can be used.

- Hash - which only masks the data, i.e. it is not possible to unmask. Can be used for most simple types of fields.

See Masking Methods for more information.

Storage Fields

In this section, you add the fields you want to map the UDR fields to when using Database Storage. If you have selected another masking method, this section will be inactive.

UDR Field MappingsIn this section, you add all the UDR types and fields you want the profile to process.

Creating a Data Masking Profile Using the Crypto Method

To create a Data Masking profile using Crypto:

...

If you want to specify a directly configured key, select Derive Key from Passphrase and see the section below, Configuring the Crypto Method using Derive Key from Passphrase. 

...

Note
titleNote!

In order to use AES-256, you need to install Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction 

Policy Files on the EC in order to run the workflow. See http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html
for further information.

Configuring the Crypto Method using Derive Key from Passphrase

Image Removed
Data Masking Agent - Crypto tab, Derive Key from Passphrase selected

...

Either enter a passphrase manually or click on the Random button to generate a random key. The passphrase is then hashed, and the hashed passphrase is used as the key.

Note
titleNote!

If you use a random passphrase, and the passphrase is changed, you will not be able to unmask any of the data that has been masked before the change.

...

Configuring the Crypto Method using a Key from a Keystore

If you want a key to be read from a specific Keystore, it must be a JCEKS key store.

...

titleExample - How to create a symmetric crypto key
Code Block
$ keytool -keystore test.ks -storepass password -storetype jceks -genseckey -keysize 128 -alias testkey -keyalg AES

Image Removed

Data Masking Agent - Crypto tab, Read Key from Keystore selected

...

Creating a Data Masking Profile Using the Database Storage Method

To use the database storage method, you need to create a table to store the mappings between masked and unmasked data. It is important that there are unique indexes for both the masked and unmasked data since the masking method implementation depends on the database constraints to ensure consistency in the table data.

The example below shows what a definition with a single storage field in an Oracle database may be:

...

titleExample - A definition with a single storage field in an Oracle database
Code Block
CREATE TABLE masking_info (
    unmasked NOT NULL,
    masked NOT NULL,
    CONSTRAINT masking_info_pk PRIMARY KEY (unmasked)
);
 
CREATE UNIQUE INDEX idx_masking_info_masked ON masking_info (masked);

To create a Data Masking profile using Database Storage:

...

If applicable, make any changes to the Advanced settings. These parameters can be tuned to optimize performance 

if necessary.

...

Creating a Data Masking Profile Using the Hash Method

To create a Data Masking profile using Hash:

...

.