Manage data masking algorithms - Data Management - Alibaba Cloud Documentation Center

The sensitive data protection feature of Data Management (DMS) provides the following data masking algorithms: hashing, cover, replacement, transformation, and encryption. You can customize different data masking rules based on a built-in data masking algorithm to define flexible data masking policies. The sensitive data protection feature provides a built-in full cover rule for data masking. If you want to use other data masking methods, you can create or change data masking rules by referring to the steps described in this topic.

Prerequisites

Your system role is an administrator, a database administrator (DBA), or a security administrator. For more information about how to view your system role, see View system roles.

Usage notes

In an instance for which the security hosting feature is enabled, after you configure a custom data masking rule on a field, you must apply for the partial masking permissions to view the data that is masked based on the data masking rule that you configure. Otherwise, you can view only the data that is fully masked. For more information about how to apply for the partial masking permissions, see Manage permissions.
After you create a data masking algorithm, you must change the data masking algorithm for the sensitive fields to the new data masking algorithm. This way, the data masking algorithm takes effect.

Create a data masking algorithm

Log on to the DMS console V5.0.
Move the pointer over the icon in the upper-left corner and choose All functions > Security and Specifications > Sensitive Data > Rule Configurations.
Note
If you use the DMS console in normal mode, choose Security and Specifications > Sensitive Data > Rule Configurations in the top navigation bar.
On the Rule Configurations page, click the Data Masking Algorithm tab. On this tab, click Add Data Masking Algorithm.

In the New Algorithm panel, configure a data masking algorithm.

DMS provides the following built-in data masking algorithms.

Algorithm type	Algorithm name	Description
Hash	MD5	Generates a 128-bit (16-byte) hash value. MD5 is a widely used cryptographic hash function.
	SHA1	Generates a 160-bit (20-byte) hash value called a message digest. SHA1 is a cryptographic hash function.
	SHA256	Generates a 256-bit hash value.
	HMAC	Authenticates messages by using a hash function and a key.
Cover up	Full cover	Masks the entire value of a field. For example, if you want to fully mask the phone number 1381111**, set the Cover string parameter to *******. Then, the data masking result is *********.
	Fixed position cover	Masks the string at the fixed position of a field. For example, if you want to mask the second segment of the IP address 192.168.255.254, set the Cover string parameter to * and the Mask position configuration parameter to `(5,7)`. Then, the data masking result is 192.*.255.254.
	Fixed character mask	Masks the specified characters of a field. For example, if you want to mask example in the email address username@example.com, set the Cover string parameter to ***** and the String to be obscured parameter to example. Then, the data masking result is username@*****.com.
Replacement	Map replacement	Replaces the specified string with another string. Note Separate multiple strings with commas (,). The number of strings to be replaced must be the same as that of the strings to be used for replacement. For example, if you want to replace ab in the string abcd with mn, set the Match String parameter to ab and the Replace By parameter to mn. Then, the data masking result is mncd.
Replacement	Random replacement	Replaces the specified part of a field with the random characters that you specify. For example, if you want to replace username in the email address username@example.com with random characters, set the Replacement position parameter to `(1,8)` and the Random character parameter to abc. Then, the data masking result may be acbbbbac@example.com. Note If you specify two or more random characters, the data masking result is random.
Transformation	Number rounding	Rounds down a number to the specified digits before the decimal point. For example, if the raw data is 1234.12, and you set the Keep the first decimal place parameter to 2, the data masking result is 1230.
	Data rounded	Rounds a date and time. For example, if the raw data is 2021-10-14 15:15:30, and you set the Date rounding level parameter to hour, the data masking result is 2021-10-14 15:00:00.
	Character displacement	Moves characters of a field leftward in a loop manner. For example, if the raw data is 345678, and you set the String left shift number parameter to 2, the data masking result is 567834.
Encryption	DES	Uses the Data Encryption Standard (DES) algorithm to encrypt data. The key is eight characters in length, and the data masking result is 16 characters in length.
	AES	Uses the Advanced Encryption Standard (AES) algorithm to encrypt data. It is a more advanced encryption algorithm than the DES algorithm. The key is 16 characters in length, and the data masking result is 32 characters in length.
	AES encryption-enhanced	Uses the AES algorithm that does not limit the key length. The data masking result is 32 characters in length.
Decryption	AES decryption	Decrypts the data that is encrypted by using the AES algorithm.
Decryption	AES decryption-enhanced	Decrypts the data that is encrypted by using the AES encryption-enhanced algorithm.

Test the data masking result.
1. Enter the raw data to be masked.
2. Click Test.
3. Check whether the data is masked as expected.
For example, if the raw data is 345678, and you set the Algorithm Type parameter to Transformation, the Level 2 parameter to Character displacement, and the String left shift number parameter to 2, the masking result should be 567834. Check whether the data is masked as expected.
Click Submit.
Note
By default, the DEFAULT built-in rule is applied to sensitive data. For more information about how to apply a custom data masking rule to sensitive data, see Manage sensitive data.
Change the data masking algorithm for one or more fields.
After you create a data masking algorithm, you must change the data masking algorithm for the sensitive fields to the new data masking algorithm on the Sensitive Data Assets page. This way, the data masking algorithm takes effect.

Change the data masking algorithm for one or more fields

Log on to the DMS console V5.0.
Move the pointer over the icon in the upper-left corner and choose All functions > Security and Specifications > Sensitive Data > Sensitive Data Assets.
Note
If you use the DMS console in normal mode, choose Security and Specifications > Sensitive Data > Sensitive Data Assets in the top navigation bar.
In the Instance List section, find the instance that you want to manage and click Sensitive Data List in the Operation column.
On the Field Control tab, select the fields for which you want to change the data masking algorithm.
Click Adjust Data Masking Algorithm in the upper-left corner.
In the Select a data masking algorithm dialog box, select a custom data masking algorithm and click Save. For more information about how to create a data masking algorithm, see the Create a data masking algorithm section of this topic.
Note
The default data masking algorithm is DEFAULT. To reset a new data masking algorithm as DEFAULT for a field, click Reset Data Masking Algorithm in the Operation column of the field.