Help Center/ Database Security Service/ Best Practices/ Sensitive Information Masking Such as Passwords in Database Audit
Updated on 2026-05-15 GMT+08:00
View PDF

Sensitive Information Masking Such as Passwords in Database Audit

To mask sensitive information in entered SQL statements, you can enable privacy data masking and configure masking rules to prevent sensitive information leakage.

Prerequisites

  • The database audit instance is in the Running state.
  • Enable the database audit function. For details, see Enabling Database Audit.

Creating a Data Masking Rule

  1. Log in to the management console.
  2. Select a region, click , and choose Security & Compliance > Database Security Service. The Dashboard page is displayed.
  3. In the navigation tree, choose Rules.
  4. In the Instance drop-down list, select the instance whose privacy data protection rule is to be configured.
  5. Click the Privacy Data Protection tab.

    Only customized rules can be edited and deleted. Default rules can only be enabled and disabled.

  6. Enable the privacy data masking function.

    You can configure masking rules to prevent privacy data leakage.

  7. Click Add Rule. In the displayed Add Rule dialog box, set the data masking rule, as shown in Figure 1. For details about related parameters, see Table 1.

    Figure 1 Adding a user-defined rule
    Table 1 Rule parameters

    Parameter

    Description

    Example Value

    Rule Name

    Name of the rule.

    test

    Regular Expression

    Enter the regular expression to be configured.

    -

    Substitution Value

    Enter the substitution value after regular expression masking.

    ###

  8. Click OK.

    A masking rule in the Enabled state is added to the rule list.

Verifying a Rule

Perform the following steps to check whether a rule takes effect. The audit information about password in a MySQL database is used as an example.

  1. Log in to the database as user root through the MySQL database client.
  2. On the database client, enter the following SQL statements. 

    INSERT INTO 'adventureworks'.'user_login_info' ('id', 'user_name', 'pass_word') VALUES (1, 'name_1', 'Password');
INSERT INTO 'adventureworks'.'user_login_info' ('id', 'user_name', 'pass_word') VALUES (2, 'name_2', 'Password');
INSERT INTO 'adventureworks'.'user_login_info' ('id', 'user_name', 'pass_word') VALUES (3, 'name_3', 'Password');
INSERT INTO 'adventureworks'.'user_login_info' ('id', 'user_name', 'pass_word') VALUES (4, 'name_4', 'Password');

  3. In the navigation tree on the left, choose Data Reports. The Data Reports page is displayed.
  4. In the Instance drop-down list, select an instance. Click the Statements tab.
  5. Set filtering conditions to find the entered SQL statement.

    In the SQL statements column, view the executed INSERT INTO SQL statement. The information before masking is displayed.

    Figure 2 Viewing SQL statements

  6. In the navigation tree on the left, choose Audit Rules. On the Privacy Data Protection tab page, click Add Rule to add a masking rule for passwords.

    Figure 3 Adding a password masking rule

  7. Repeat 1 to 5 to query the entered SQL statement based on the filter criteria.

    In the SQL statements column, view the executed INSERT INTO SQL statement. The privacy data masking function is normal, and the masked information is displayed.

    Figure 4 Viewing the masked SQL statement

  8. On the database client, enter the following SQL statements. 

    UPDATE 'adventureworks'.'user_login_info' set 'pass_word' = "password" where id = 1;
UPDATE 'adventureworks'.'user_login_info' set 'pass_word' = "password" where id = 2;
UPDATE 'adventureworks'.'user_login_info' set 'pass_word' = "password" where id = 3;
UPDATE 'adventureworks'.'user_login_info' set 'pass_word' = "password" where id = 4;

  9. Repeat 3 to 5 to query the entered SQL statement based on the filter criteria.

    In the SQL statements column, view the executed UPDATE SQL statement. The information before masking is displayed.

    Figure 5 Viewing SQL statements

  10. In the navigation tree on the left, choose Audit Rules. On the Privacy Data Protection tab page, click Add Rule to add a masking rule for changing the password.

    Figure 6 Adding a masking rule for changing passwords

  11. Repeat step 8 to execute the SQL request statement.
  12. Repeat 3 to 5 to query the entered SQL statement based on the filter criteria.

    In the SQL statement column, view the executed UPDATE SQL statement. The privacy data masking function is normal, and the information is displayed.

    Figure 7 Viewing the SQL statements after masking

    In other scenarios or database types, you need to create masking rules based on specific syntax features and sensitive fields to implement audit masking.