Data Masking Profile (4.3)

In the Data Masking profile you configure the masking method you want to use, which UDR types and field you want to mask/unmask, and any masking method specific settings.

There are four different masking methods that you can use:

  • Crypto - Uses cryptographic algorithm that can be configured to either derive its key from a passphrase or a Keystore. It uses either AES-128 or AES-256 for data encryption. The data can be unmasked later when required. 

  • Database - Enables data model masking to store masked and unmasked data. The data can be unmasked later when required.

  • Hash (one way) - Employs a salt-based encryption scheme for obscuring data only. All masked data using this method cannot be unmasked.

  • Hash/Database - Uses a combination of the database and hash mode. The data can be unmasked later when required. 

For more information on the supported data types, refer to Supported Data Types.

Configuration

The Data masking profile consists of five tabs:

Fields Tab

The masking method that is selected in the Fields tab determines which of the other four tabs that will be active as these tabs contain masking method specific configurations. 

Data Masking Profile - Fields tab

SettingDescription
Masking MethodSelect the masking method to be used in the profile. 
Storage Fields

Add the fields to map the UDR fields to. 

Note!

This option is only enabled for Database Storage and Hash/Database masking methods. 

UDR Field MappingsAdd all the UDR types and fields for the profile to process.
Random Algorithm (Only for String type)

Specify the algorithm to be used for generating the random character.

The supported algorithms are:

  • Default: Default random algorithm. For Crypto, it only supports Base64 format where the Hash or Database are using mixture of alphanumeric and special characters. The supported characters list are: 

    [!, ", #, $, %, &, ', (, ), *, +, ,, -, ., /, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, :, ;, <, =, >, ?, @, A, B, C, D, E, F, G, H, I, J, K, L, M, N, O, P, Q, R, S, T, U, V, W, X, Y, Z, [, \, ], ^, _, `, a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p, q, r, s, t, u, v, w, x, y, z, {, |, }, ~]
  • UUID 4: Generate UUID string in 8-4-4-4-12 format xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
  • Custom: Filtered character based on Default character sets, filter condition can be configured through Regex Pattern

For more information on the algorithms for each masking method, see Supported Random Algorithm Type.

Regex Pattern

This is field is enabled when the Custom option is selected. It is a regular expression to extract characters based on the default characters list.

String LengthThis is field is enabled when the Custom option is selected. Specify the length of the output string.
Output FormatThis field is non-editable. It displays the supported character list and sample output preview.

Supported Random Algorithm Type

The supported random algorithm types for each masking method are as follows:

Algorithm

Crypto


Database


Hash

Hash/Database
Default

 

UUID 4
Custom

Crypto Tab

This tab is enabled only when the Crypto masking method is selected in the Fields tab. 

Data Masking Profile - Crypto tab

Setting DescriptionDescription
Derive Key from PassphraseSelect this option for the cryptographic engine to use a key from the passphrase. The Passphrase and Algorithm fields will be enabled.
Passphrase

Enter a passphrase manually or click the Random button to generate a random key. The passphrase is then hashed and it is use as the key.

Note!

If you use a random passphrase and it has been changed, you will not be able to unmask any masked data prior to the change.

Algorithm

Select the algorithm to be used, either the AES-128 or AES-256.

Note!

This can only be used for fields of string and bytearray types.

Read Key from Keystore

Select this option to use a key from a designated keystore. The keystore must be a JCEKS. The Keystore PathKeystore PasswordKey Name and Key Password fields will be enabled.

Example - Creating a symmetric crypto key

$ keytool -keystore test.ks -storepass password -storetype jceks -genseckey -keysize 128 -alias testkey -keyalg AES
Keystore PathEnter the path to the keystore file.
Keystore PasswordEnter the associated password.
Key NameThis field is optional. Enter the associated key name.
Key Password

This field is optional. Enter the associated key password if required, otherwise the Keystore Password is used as the default password.

Database Tab

This tab is enabled only when the Database Storage masking method is selected in the Fields tab. 

Data Masking Profile - Database tab

SettingDescription

Database Model

DatabaseBrowse and select the Database profile to use.
Table

Select the database table to view the following information:

  • Field: Shows the field name
  • Unmasked: Shows the unmasked content
  • Masked: Shows the masked content
  • Key: The selected checkbox shows the fields that will be searched when unmasking data.

    Note!

    If you have a large table or huge amount of lookups, you may consider to select the necessary fields only for searching when unmasking data

Advanced
Queue Size Set the queue size for the workers. The queue size will be split between the workers.
Max Number of Workers Enter the maximum number of workers.
Max Select Batch SizeEnter the maximum size of the batch when making large select statements to retrieve data.

Hash Tab

This tab is enabled only when the Hash masking method is selected in the Fields tab. 

Data Masking Profile - Hash tab

SettingDescription
SaltEnter the entry of the relevant hash or click the Random button to generate a random entry.

Hash/Database Tab

This tab is enabled only when the Hash/Database masking method is selected in the Fields tab. 

Data Masking Profile - Hash/Database tab

SettingDescription
Data Model
DatabaseBrowse and select the Database profile to use.
Table

Select the database table to view the following information:

  • Field: Shows the field name
  • Unmasked: Shows the unmasked content
  • Masked: Shows the masked content
  • Key: The selected checkbox shows the fields that will be searched when unmasking data.

    Note!

    If you have a large table or huge amount of lookups, you may consider to select the necessary fields only for searching when unmasking data

Hash
SaltEnter the entry of the relevant hash or click the Random button to generate a random entry.
Advanced
Queue Size Set the queue size for the workers. The queue size will be split between the workers.
Max Number of WorkersEnter the number of workers.
Max Select Batch SizeEnter the maximum size of the batch when making large select statements to retrieve data.

Supported Data Types

The supported data types for each masking method are as follows:

Data typeCryptoDatabaseHashHash/Database
string

integer
long
short
double
byte
bytearray