9.14.2 Data Masking Profile

Owned by Jenni Wallin
Last updated: May 10, 2023 by Former user (Deleted)
7 min read

In the Data Masking profile you configure the masking method you want to use, which UDR types and field you want to mask/unmask, and any masking method specific settings.

There are three different masking methods that you can use:

  • Crypto, which is used for encrypting data with either AES-128, or AES-256. Can be used for both obscuring and unmasking data.
  • Database, which is used for storing masked and unmasked data in a database enabling the data to be unmasked at a later stage.
  • Hash, which is used for obscuring data only. You will not be able to unmask data using this method.

Configuration

To create a new Data Masking profile, click the New Configuration button in Desktop and select the Data Masking Profile option. This configuration contains four different tabs; Fields, Crypto, Database, and Hash. The Masking Method you select in the Fields tab determines which of the other three tabs that will be active, since these tabs contain masking method specific configurations.

The Data Masking profile configuration

The contents of the menus in the menu bar may change depending on which configuration type that has been opened. The Data Masking profile uses the standard menu items and buttons that are visible for all configurations, and these are described in 2.1 Menus and Buttons.

The Fields tab in the Data Masking profile configuration contains the following settings:

Setting
Description

Masking Method

In this drop-down-list you select which masking method you want to use;

- Crypto - which uses either AES-128 or AES-256 encryption. Can only be used for fields of string or bytearray types.

- Database Storage - which stores the unmasked and masked data in a database. Can be used for fields of byte, double, int, string, long and short types. When selecting Database, Oracle, Postgres, and SAP HANA can be used.

- Hash - which only masks the data, i e it is not possible to unmask. Can be used for most simple types of fields.

Storage Fields

In this section you add the fields you want to map the UDR fields to when using Database Storage. If you have selected another masking method, this section will be inactive.

UDR Field MappingsIn this section you add all the UDR types and fields you want the profile to process.

Creating a Data Masking Profile Using the Crypto Method

To create a Data Masking profile using Crypto:

  1. In the Fields tab, select the Crypto option in the Masking Method drop-down-list.

    The Storage Fields section will then be greyed out.

  2. Click on the Add... button beneath the UDR Field Mappings section. 

    The Add UDR Field Mappings dialog opens.


  3. Click on the Browse... buttons and select which UDR type and field you want to add and click on the Add button. Then repeat this step for all the types and fields you want to add.

  4. When finished, click on the Close button to close the dialog.

  5. Click on the Crypto tab to display the Crypto specific settings:


    Data Masking Agent - Crypto tab, Derive Key from Passphrase selected

  6. If you want to specify a directly configured key, select Derive Key from Passphrase and see the section below, Configuring the Crypto Method using Derive Key from Passphrase. 

    If you want a key to be read from a keystore, select Read Key from Keystore and see the section below Configuring the Crypto Method using a Key from a Keystore.

    Note!

    In order to use AES-256, you need to install Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction 

    Policy Files on the EC in order to run the workflow. See http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html
    for further information.

Configuring the Crypto Method using Derive Key from Passphrase


Data Masking Agent - Crypto tab, Derive Key from Passphrase selected

  1. Select which algorithm you want to use; either AES-128 or AES-256.

  2. Either enter a passphrase manually, or click on the Random button to generate a random key. The passphrase is then hashed, and the hashed passphrase is used as the key.

    Note!

    If you use a random passphrase, and the passphrase is changed, you will not be able to unmask any of the data that has been masked before the change.

  3. Save the profile and you are done.

Configuring the Crypto Method using a Key from a Keystore

If you want a key to be read from a specific keystore, it must be a JCEKS keystore.

Example - How to create a symmetric crypto key

$ keytool -keystore test.ks -storepass password -storetype jceks -genseckey -keysize 128 -alias testkey -keyalg AES

Data Masking Agent - Crypto tab, Read Key from Keystore selected

  1. In the Keystore Path field, enter the location of the JCEKS type keystore from which you want to read the key. 

  2. In the Keystore Password field, enter the relevant keystore password. 

  3. The Key Name field is optional. If required, enter the key name. 

  4. The Key Password fields is optional. You can enter the key password, or if you leave this field empty, the Keystore Password is the default. 

  5. Save the profile and you are done.

Creating a Data Masking Profile Using the Database Storage Method

To use the database storage method, you need to create a table to store the mappings between masked and unmasked data. It is important that there are unique indexes for both the masked and unmasked data since the masking method implementation depends on the database constraints to ensure consistency in the table data.

The example below shows what a definition with a single storage field in an Oracle database may be:

Example - A definition with a single storage field in an Oracle database

CREATE TABLE masking_info (
    unmasked NOT NULL,
    masked NOT NULL,
    CONSTRAINT masking_info_pk PRIMARY KEY (unmasked)
);
 
CREATE UNIQUE INDEX idx_masking_info_masked ON masking_info (masked);


To create a Data Masking profile using Database Storage:

  1. In the Fields tab, select the Database Storage option in the Masking Method drop-down-list.

  2. Click on the Add... button beneath the Storage Fields section.


  3. Enter a name for the field that you want to use for mapping the unmasked and masked values in the database and select the type of the field in the Type drop-down-list. Repeat for every additional storage field you want to add.

  4. Click on the Close button to close the dialog.

    The UDR Field Mappings section will display three different columns when you have selected Database Storage as masking method.

  5. Click on the Add... button beneath the UDR Field Mappings section. 

  6. The Add UDR Field Mappings dialog opens.


  7. Click on the Browse... buttons and select which UDR type and field you want to add, select mapping field in the Mapping Field drop-down-list, and click on the Add button. Then repeat this step for all the types and fields you want to add.

  8. When finished, click on the Close button to close the dialog.

  9. Click on the Database tab to display the Database Storage specific settings:


  10. Select the database profile you want to use and set which table in the database you want to use in the Database and Table settings.

    The configured storage fields will appear in the table, and the Key check box will be selected for the fields by default. This means that when unmasking data, the fields with this check box selected will be looked up. In case you have very large tables, or many lookups, you may consider which fields you want to be looked up when unmasking data.

  11. Enter names for the Unmasked and Masked columns in the table for each storage field.

  12. If applicable, make any changes to the Advanced settings. These parameters can be tuned to optimize performance 

    if necessary.
    SettingDescription
    Queue SizeThis settings determines the queue size for the workers. The queue size will be split between the workers.
    Max Number of WorkersEnter how many workers you want to have in this field.
    Max Select Batch SizeEnter the maximun size of the batch when making large select statements for retrieving data.

    Advanced settings

  13. Save the profile and you are done.

Creating a Data Masking Profile Using the Hash Method

To create a Data Masking profile using Hash:

  1. In the Fields tab, select the Hash option in the Masking Method drop-down-list.

    The Storage Fields section will then be greyed out.

  2. Click on the Add... button beneath the UDR Field Mappings section. 

    The Add UDR Field Mappings dialog opens.


  3. Click on the Browse... buttons and select which UDR type and field you want to add and click on the Add button. Then repeat this step for all the types and fields you want to add.

  4. When finished, click on the Close button to close the dialog.

  5. Click on the Hash tab to display the Hash specific settings:


  6. Either enter a key manually, or click on the Random button to generate a random key in the Salt field.

  7. Save the profile and you are done.
Next:

9.14.3 Data Masking Agent Configuration