Configuring a Data Masking Rule

This section describes how to configure a data masking rule. For more information about masking algorithms, see Overview.

Procedure

Log in to the management console.
Click in the upper left corner and select a region or project.
In the navigation tree on the left, click . Choose Security & Compliance > Data Security Center .
In the navigation pane, choose Data Asset Protection > Data Masking. On the page displayed, click the Masking Rule tab.
On the Masking Rule tab page, select a proper masking method and configure a masking rule.
- If you select Hash, configure a masking rule according to Hash.
- If you select Encryption, configure a masking rule according to Encryption.
- If you select Character Masking, configure a masking rule according to Character Masking.
- If you select Keyword Replacement, configure a masking rule according to Keyword Replacement.
- If you select Value Change, configure a masking rule according to Value Change.
- If you select Roundup, configure a masking rule according to Roundup.

Hash

This method is used to replace a field of the string type with a hash value. In a relational database, if the field length is less than the hash length, the length of the field in the destination database is set to be the same as the hash value length to ensure that the hash value is completely written to the destination database. By default, two hash algorithms, SHA-256 and SHA-512, are configured for DSC.

Hash algorithms are built-in and do not need to be configured. If you want to test the masking effect, perform the following steps:

Access the Masking Rule page by referring to Procedure.
Click the Hash tab.

Figure 1 Hash masking
In the column where the SHA-256 or SHA-512 algorithm is, click Edit and Test.
On the Edit and Test page, set Masking Algorithm to Hash, enter Raw Data, and click Test. The masked data is displayed in the Masking Result text box.

Figure 2 Hash method

Encryption

This method masks data using encryption algorithms and a master key.

Access the Masking Rule page by referring to Procedure.

Click the Encryption tab.

Master Key Algorithm: Select an encryption algorithm from the drop-down list box. Two encryption algorithms are available: AES256 and SM4.

**Table 1** Master key algorithms
Key Type	Algorithm Type	Key Specifications	Description	Usage
Symmetric key	AES	AES_256	AES symmetric key	Encrypting and decrypting a small amount of data or data keys
Symmetric key	SM4	SM4	SM4 symmetric key	Encrypts and decrypts a small amount of data or data keys.

For KMS encryption, the KMS key can be either selected from the drop-down list or entered:
- Select from Keys: Select an existing master key from the drop-down list. If no master key is available, click Create KMS Key to create one. For details about how to create a KMS key, see Creating a Key.
  
  By default, the master key csm/default is used for encryption.
- Enter a KMS key ID: Enter the ID of the KMS key in the current region.
Select the Data Key Length from the drop-down list box. The options are 128, 192, and 256.

After the configuration is complete, click Generate Encryption Configuration.

If you want to delete a configured encryption configuration, click Delete in the Operation column.

Click to enable the rotation policy. After rotation, the current encryption configuration is updated to improve security.

Character Masking

This method uses the specified character * or a random character to cover part of the content.

There are six masking methods available, including retaining first N and last M, retaining from X to Y, masking first N and last M, masking from X to Y, masking data ahead of special characters, and masking data followed by special characters.

Access the Masking Rule page by referring to Procedure.
Click the Character Masking tab.

Figure 3 Character masking method
Click Add to configure a character masking rule.

Figure 4 Adding a character masking rule
Enter the raw data and click Test. The masking result will be displayed in the Masking Result text box.
Verify the testing result and click Save.
- Multiple character masking rules have been preset in DSC. Built-in masking rules cannot be deleted. To delete a custom masking rule, click Delete in the Operation column of the target rule.
- All rules can be edited. To edit a rule, locate the row containing the rule and click Edit in the Operation column.

Keyword Replacement

This method masks data by replacing matched keywords with custom strings. For example, if the original characters are abcdefgbcdefgkjkoij, the keyword is bcde, and the replacement string is 12, the masking result is a12fg12fgkjkoij.

Access the Masking Rule page by referring to Procedure.
Click the Keyword Replacement tab.

Figure 5 Keyword Replacement
Click Add in the upper left corner. The Add Keyword page is displayed.
Set the keyword and the replacement string.

Then, the keywords matched in raw characters will be replaced with the replacement string.
Figure 6 Adding a keyword
Enter the raw data and click Test. The masking result will be displayed in the Masking Result text box.
Verify the testing result and click Save.
- To modify a configured masking rule, locate the row containing the rule and click Edit and Test in the Operation column.
- To delete a configured masking rule, locate the row containing the rule and click Delete in the Operation column.

Value Change

The following algorithms have been built in:

Masking Using the Null Value: Set fields of any type to NULL. For a field whose attribute is set to NOT NULL, the algorithm changes the attribute to NULL during copy.
Masking Using the Empty Value: Set the specified field to an empty value. Specifically, a character field is left blank, a numeric field is set to 0, a date field is set to 1970, and time field is set to 00:00.

It is a built-in masking rule of DSC and does not need to be configured. To view the masking rule, perform the following steps:

Access the Masking Rule page by referring to Procedure.
Click the Value Change tab.

Figure 7 Value Change

Roundup

Access the Masking Rule page by referring to Procedure.
Click Round.

There are two built-in data masking algorithms available:
- Date Roundup: Used for time-related fields such as timestamp, time, data, and datatime in RDS.
- Number Roundup: Used for value types fields such as double, float, int, and long. After data masking, the original field type does not change.
Figure 8 Value masking page
Click Edit and Test and set Roundup Result.

Masking Result: Rounds a given value downwards to a multiple value closest to the raw data. For example, if the given value is 5 and the raw data is 14, the multiple of 5 that is closest to 14 is 10. That is, the masking result is 10.
Figure 9 Number roundup
Enter the raw data and click Test. The masking result will be displayed in the Masking Result text box.
Verify the testing result and click Save.

Simulation Masking

Once sensitive data is identified, it is replaced with simulated data. At present, this functionality is limited to OBS masking tasks.

**Table 2** Supported simulation masking types
No.	Sensitive Data Rule	Simulation Masking Type
1	ID card No. (Chinese mainland)	ID card number
2	Birthday	Random date (specified range)
3	Date	Random date (specified range)
4	Mobile number (Chinese mainland)	Mobile number
5	Email address	Email address
6	Postal code (Chinese mainland)	Postal code
7	Address (Chinese mainland)	Address
8	Exact address (China)	Address
9	International mobile equipment identity (IMEI)	IMEI
10	IPv4 address	IPv4 address
11	IPv6 address	IPv6 address
12	Bank account number	Bank account number
13	Person name (Simplified Chinese)	Person name
14	Car license plate number (Chinese mainland)	Car license plate number
15	Passport No. (Chinese mainland)	Passport No.