Updated on 2024-10-09 GMT+08:00

Configuring a Data Masking Rule

This section describes how to configure a data masking rule. For more information about masking algorithms, see Overview.

Procedure

  1. Log in to the management console.
  2. Click in the upper left corner and select a region or project.
  3. In the navigation tree on the left, click . Choose Security & Compliance > Data Security Center .
  4. In the navigation pane, choose Data Asset Protection > Data Masking. On the page displayed, click the Masking Rule tab.

    Figure 1 Accessing the Masking Rule tab

  5. On the Masking Rule tab page, select a proper masking method and configure a masking rule.

    • If you select Hash, configure a masking rule according to Hash.
    • If you select Encryption, configure a masking rule according to Encryption.
    • If you select Character Masking, configure a masking rule according to Character Masking.
    • If you select Keyword Replacement, configure a masking rule according to Keyword Replacement.
    • If you select Value Change, configure a masking rule according to Value Change.
    • If you select Roundup, configure a masking rule according to Roundup.

Hash

This method is used to replace a field of the string type with a hash value. In a relational database, if the field length is less than the hash length, the length of the field in the destination database is set to be the same as the hash value length to ensure that the hash value is completely written to the destination database. By default, two hash algorithms, SHA-256 and SHA-512, are configured for DSC.

Hash algorithms are built-in and do not need to be configured. If you want to test the masking effect, perform the following steps:

  1. Access the Masking Rule page by referring to Procedure.
  2. Click the Hash tab.

    Figure 2 Hash

  3. In the column where the SHA-256 or SHA-512 algorithm is, click Test.
  4. On the page displayed, enter the raw data and click Test. The masking result will be displayed in the Masking Result text box.

    Figure 3 Hash method

Encryption

This method masks data using encryption algorithms and a master key. In the encryption and data masking result, the first 16 bytes of an encrypted string is the initialization vector (IV), and the rest is the enciphered text.

  1. Access the Masking Rule page by referring to Procedure.
  2. Click the Encryption tab.

    • Master Key Algorithm: Select an encryption algorithm from the drop-down list box. Two encryption algorithms are available: AES256 and SM4.
    • For KMS encryption, the KMS key can be either selected from the drop-down list or entered:
      • Select from Keys: Select an existing master key from the drop-down list. If no master key is available, click Create KMS Key to create one.

        By default, the master key csm/default is used for encryption.

      • Enter a KMS key ID: Enter the ID of the KMS key in the current region.

  3. After the configuration is complete, click Generate Encryption Configuration.

    If you want to delete a configured encryption configuration, click Delete in the Operation column.

    Click to enable the rotation policy. After rotation, the current encryption configuration is updated to improve security.

Character Masking

This method uses the specified character * or a random character to cover part of the content.

There are six masking methods available, including retaining first N and last M, retaining from X to Y, masking first N and last M, masking from X to Y, masking data ahead of special characters, and masking data followed by special characters.

  1. Access the Masking Rule page by referring to Procedure.
  2. Click the Character Masking tab.

    Figure 4 Character masking method

  3. Click Add to configure a character masking rule.

    Figure 5 Adding a character masking rule

  4. Enter the raw data and click Test. The masking result will be displayed in the Masking Result text box.
  5. Verify the testing result and click Save.

    • Multiple character masking rules have been preset in DSC. Built-in masking rules cannot be deleted. To delete a custom masking rule, click Delete in the Operation column of the target rule.
    • All rules can be edited. To edit a rule, locate the row containing the rule and click Edit in the Operation column.

Keyword Replacement

This method masks data by replacing matched keywords with custom strings. For example, if the original characters are abcdefgbcdefgkjkoij, the keyword is bcde, and the replacement string is 12, the masking result is a12fg12fgkjkoij.

  1. Access the Masking Rule page by referring to Procedure.
  2. Click the Keyword Replacement tab.

    Figure 6 Keyword Replacement

  3. Set the keyword and the replacement string.

    Then, the keywords matched in raw characters will be replaced with the replacement string.
    Figure 7 Adding a keyword

  4. Enter the raw data and click Test. The masking result will be displayed in the Masking Result text box.
  5. Verify the testing result and click Save.

    • To modify a configured masking rule, locate the row containing the rule and click Edit and Test in the Operation column.
    • To delete a configured masking rule, locate the row containing the rule and click Delete in the Operation column.

Value Change

The following algorithms have been built in:
  • Masking Using the Null Value: Set fields of any type to NULL. For a field whose attribute is set to NOT NULL, the algorithm changes the attribute to NULL during copy.
  • Masking Using the Empty Value: Set the specified field to an empty value. Specifically, a character field is left blank, a numeric field is set to 0, a date field is set to 1970, and time field is set to 00:00.

It is a built-in masking rule of DSC and does not need to be configured. To view the masking rule, perform the following steps:

  1. Access the Masking Rule page by referring to Procedure.
  2. Click the Value Change tab.

    Figure 8 Value Change

Roundup

  1. Access the Masking Rule page by referring to Procedure.
  2. Click Round.

    There are two built-in data masking algorithms available:

    • Date Roundup: Used for time-related fields such as timestamp, time, data, and datatime in RDS.
    • Number Roundup: Used for value types fields such as double, float, int, and long. After data masking, the original field type does not change.
    Figure 9 Value masking page

  3. Click Edit Test and set Rounding Value.

    Masking Result: Rounds a given value downwards to a multiple value closest to the raw data. For example, if the given value is 5 and the raw data is 14, the multiple of 5 that is closest to 14 is 10. That is, the masking result is 10.
    Figure 10 Number roundup

  4. Enter the raw data and click Test. The masking result will be displayed in the Masking Result text box.
  5. Verify the testing result and click Save.