Logo

github Download
Masking

Masking #

Masking is a partial column encryption. Masking hides encrypted part from client apps which don’t have right decryption keys. In case of decryption failure, encrypted data will be replaced with a placeholder.

Use cases may include:

  • Credit card numbers (reveal only last N digits)
  • Mobile phone (again, reveal only last N digits, i.e. for recovery purposes)
  • First/last name (mask everything except 1-3 first characters)

Masking is “kinda anonymisation”. It’s helpful when the dataset should be shared with untrusted third parties.

Under the hood, AcraServer/AcraTranslator encrypts the data completely, and concatenates a piece of plaintext (defined by plaintext_length variable, see below). So the data itself is stored encrypted into AcraStruct/AcraBlock with a tiny chunk of plaintext data.

AcraServer is the only component that provides transparent masking for INSERT and UPDATE queries and transparent demasking for SELECT queries, with per column configuration.

AcraServer configuration #

In configuration file, passed by --encryptor_config_file flag, you can individually configure masking for any field of any table, if that field can be encrypted. These options are accepted:

schemas:
  - table: table_name
    encrypted:
      - column: masked_column_name

        # (required, must be non-empty)
        # Replacement string to use for masking out encrypted data.
        # If decryption fails, this string will be show instead of the masked
        # portion of the data.
        masking: "XXXXXXXXXXXX"

        # (required, must be non-negative)
        # How many bytes of plaintext to leave unencrypted.
        plaintext_length: 4

        # (required, allowed values: "left", "right")
        # Which side of the plaintext to leave unencrypted.
        # "plaintext_length" bytes will be retained from left or right side of
        # the data cell.
        plaintext_side: "right"

        # (optional, default: "acrastruct",
        # allowed values: "acrastruct", "acrablock")
        # Which cryptographic container to use for data encryption.
        crypto_envelope: "acrastruct"

        # (optional, default: false)
        # If true, data stored in AcraStructs will be transparently re-encrypted
        # into AcraBlocks.
        reencrypting_to_acrablocks: false

Examples #

Here are few examples of configuration and results it would give. The actual encrypted part of data will look differently in a database, and will take more bytes. Examples below only illustrate which part of plaintext would be encrypted.

Retain first five characters #

  masking: "*",
  plaintext_length: 5,
  plaintext_side: "left"
Viewpoint Visible data
database, encrypted Alan PGVuY3J5cHRlZD4=
authorized user, decrypted Alan Turing
unauthorized used, masked Alan *

Retain last four characters #

  masking: "XXXX XXXX XXXX ",
  plaintext_length: 4,
  plaintext_side: "right"
Viewpoint Visible data
database, encrypted PGVuY3J5cHRlZD4=3456
authorized user, decrypted 1234 5678 9012 3456
unauthorized used, masked XXXX XXXX XXXX 3456

Completely hide content #

  masking: "???",
  plaintext_length: 0,
  plaintext_side: "left"
Viewpoint Visible data
database, encrypted PGVuY3J5cHRlZD4=
authorized user, decrypted Nikola Tesla
unauthorized used, masked ???