In the Data Masking profile, you configure the masking method you want to use, which UDR types and fields you want to mask/unmask, and any masking method-specific settings.
...
Setting | Description |
---|---|
Masking Method | In this drop-down list, you select which masking method you want to use;:. - Crypto - which uses either AES-128 or AES-256 encryption. Can only be used for fields of string or bytearray types. - Database Storage - which stores the unmasked and masked data in a database. Can be used for fields of byte, double, int, string, long, and short types. When selecting Database, Oracle, Postgres, and SAP HANA can be used. - Hash - which only masks the data, i.e. it is not possible to unmask. Can be used for most simple types of fields. See Masking Methods for more information. |
Storage Fields | In this section, you add the fields you want to map the UDR fields to when using Database Storage. If you have selected another masking method, this section will be inactive. |
UDR Field Mappings | In this section, you add all the UDR types and fields you want the profile to process. |
Creating a Data Masking Profile Using the Crypto Method
To create a Data Masking profile using Crypto:
...
If you want to specify a directly configured key, select Derive Key from Passphrase and see the section below, Configuring the Crypto Method using Derive Key from Passphrase.
...
Note | ||
---|---|---|
| ||
In order to use AES-256, you need to install Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files on the EC in order to run the workflow. See http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html for further information. |
Configuring the Crypto Method using Derive Key from Passphrase
Data Masking Agent - Crypto tab, Derive Key from Passphrase selected
...
Either enter a passphrase manually or click on the Random button to generate a random key. The passphrase is then hashed, and the hashed passphrase is used as the key.
Note | ||
---|---|---|
| ||
If you use a random passphrase, and the passphrase is changed, you will not be able to unmask any of the data that has been masked before the change. |
...
Configuring the Crypto Method using a Key from a Keystore
If you want a key to be read from a specific Keystore, it must be a JCEKS key store.
...
title | Example - How to create a symmetric crypto key |
---|
Code Block |
---|
$ keytool -keystore test.ks -storepass password -storetype jceks -genseckey -keysize 128 -alias testkey -keyalg AES |
Data Masking Agent - Crypto tab, Read Key from Keystore selected
...
Creating a Data Masking Profile Using the Database Storage Method
To use the database storage method, you need to create a table to store the mappings between masked and unmasked data. It is important that there are unique indexes for both the masked and unmasked data since the masking method implementation depends on the database constraints to ensure consistency in the table data.
The example below shows what a definition with a single storage field in an Oracle database may be:
...
title | Example - A definition with a single storage field in an Oracle database |
---|
Code Block |
---|
CREATE TABLE masking_info (
unmasked NOT NULL,
masked NOT NULL,
CONSTRAINT masking_info_pk PRIMARY KEY (unmasked)
);
CREATE UNIQUE INDEX idx_masking_info_masked ON masking_info (masked); |
To create a Data Masking profile using Database Storage:
...
If applicable, make any changes to the Advanced settings. These parameters can be tuned to optimize performance
...
Creating a Data Masking Profile Using the Hash Method
To create a Data Masking profile using Hash:
...
. |