All Products
Search
Document Center

Data Management:Manage data masking algorithms

Last Updated:Jun 20, 2026

To prevent sensitive data leakage, you can configure a data masking algorithm for specific fields in Data Management Service (DMS). When you query or export data from these fields, DMS automatically masks the values based on the data masking rule you set. This topic describes how to add, view, and modify data masking algorithms for your sensitive data.

Prerequisites

  • You have one of the following system roles: Administrator, DBA, or Security Administrator. For more information, see View my system roles.

  • The sensitive data protection feature is enabled for the instance, and a sensitive data scan task is configured. For more information, see Enable sensitive data protection.

Usage notes

  • DMS data masking algorithms take effect when you query data in the SQL window, submit a database export ticket, or access the database instance by using a proxy endpoint generated by the secure access proxy feature.

    Note

    Data masking algorithms do not take effect if you use other tools to query data.

  • For an instance under security hosting, if you configure a partial masking algorithm for a field, you must obtain partial masking permissions to view the partially masked data. Without these permissions, the data is fully masked. For more information about how to request permissions, see Manage access control permissions.

  • After you add a new data masking algorithm, you must apply it to the target sensitive fields for it to take effect.

Add a data masking algorithm

  1. Log on to the Data Management Service (DMS) 5.0.

  2. Move the pointer over the 2023-01-28_15-57-17.png icon in the upper-left corner and choose All Features > Security and disaster recovery (DBS) > Sensitive Data > Rule Configurations.

    Note

    If you use the DMS console in normal mode, choose Security and disaster recovery (DBS) > Sensitive Data > Rule Configurations in the top navigation bar.

  3. Click the Data Masking Algorithm tab, and then click Add Data Masking Algorithm.

  4. In the New Algorithm panel, select and configure a data masking algorithm.

    Type

    Name

    Description

    Hash

    MD5

    A widely adopted cryptographic hash function that generates a 128-bit (16-byte) hash value.

    SHA1

    A cryptographic hash function that generates a 160-bit (20-byte) hash value, known as a message digest.

    SHA256

    Generates a 256-bit hash value.

    HMAC

    Authenticates a message by using a hash function and a secret key.

    Masking

    full masking

    Masks the entire data value.

    For example, to fully mask the phone number 13811112222, set the masking string to ***********. The masked result is ***********.

    fixed-position masking

    Masks a specific part of a data value based on its position.

    For example, to mask the second segment of the IP address 192.168.255.254, set the masking string to * and specify the position range as (5,7). The masked result is 192.*.255.254.

    fixed-character masking

    Masks a specific character or string within a data value.

    For example, to mask example in the email address username@example.com, set the masking string to ******* and specify example as the string to be masked. The result is username@*******.com.

    Replacement

    map replacement

    Replaces a target string with a replacement string.

    Note
    • Use commas (,) to separate multiple strings.

    • The number of target strings must match the number of replacement strings.

    For example, to replace ab with mn in the string abcd, set the target string to ab and the replacement string to mn. The masked result is mncd.

    random replacement

    Replaces characters at a specified position with random characters.

    For example, to randomly replace username in username@example.com, set the replacement position to (1,8) and the random characters to abc. A possible result is acbbbbac@example.com.

    Note

    If you specify two or more random characters, the masking result is non-deterministic.

    Transformation

    number rounding

    Rounds down a number to a specified digit before the decimal point.

    For example, for the original value 1234.12, if you round to the second digit before the decimal point, the result is 1230.

    date rounding

    Rounds a date and time to a specified level of precision.

    For example, for the original value 2021-10-14 15:15:30, if you round to the nearest hour, the result is 2021-10-14 15:00:00.

    character displacement

    Performs a circular left shift on the characters of a string.

    For example, for the original value 345678, if you specify a left shift of 2 positions, the result is 567834.

    Encryption

    DES

    Encrypts data by using the Data Encryption Standard (DES) algorithm. The key length is 8 characters, and the result is 16 characters.

    AES

    Encrypts data by using the Advanced Encryption Standard (AES) algorithm, which is more secure than DES. The key length is 16 characters, and the result is 32 characters.

    AES encryption-enhanced

    Encrypts data by using the AES algorithm with no key length limitation. The result is 32 characters.

    Decryption

    AES decryption

    Decrypts data encrypted with the AES algorithm.

    AES decryption-enhanced

    Decrypts data encrypted with the AES encryption-enhanced algorithm.

    Plaintext

    N/A

    N/A

  5. Test the algorithm.

    1. Enter the original data.

    2. Click Test.

    3. Verify the result.

    For example, for the character displacement transformation, if you set the left shift to 2 and the original data to 345678, the result is 567834.

  6. Click Submit.

    Note

    By default, sensitive data is masked using the built-in 'DEFAULT' data masking rule. To apply your new data masking algorithm, see Manage sensitive data.

  7. View and modify the data masking algorithm for a field.

    After you add a data masking algorithm, you must navigate to the Sensitive Data Assets page and apply the new algorithm to the target fields for it to take effect.

View and modify field algorithms

  1. Log on to the Data Management Service (DMS) 5.0.

  2. Move the pointer over the 2023-01-28_15-57-17.png icon in the upper-left corner and choose All Features > Security and disaster recovery (DBS) > Sensitive Data > Sensitive Data Assets.

    Note

    If you use the DMS console in normal mode, choose Security and disaster recovery (DBS) > Sensitive Data > Sensitive Data Assets in the top navigation bar.

  3. In the Instance List section, find the target instance and click Sensitive Data List in the Operation column.

  4. On the Field Control tab, select the checkbox for each field whose algorithm you want to modify.

  5. In the upper-left corner, click Adjust Data Masking Algorithm.

  6. In the Select Data Masking Algorithm dialog box, choose a default masking algorithm or partial masking algorithm, specify an algorithm, and then click Save.

    Note

    To reset a field's custom data masking algorithm to the system default ('DEFAULT'), find the field in the list and click Reset Data Masking Algorithm in the Operation column.

FAQ

  • Q: If both a default masking algorithm and a partial masking algorithm are set for a sensitive field, which one does DMS use?

    A: DMS uses the partial masking algorithm. However, if the user viewing the data lacks the required permissions for partially masked or plaintext data, DMS falls back to the default data masking algorithm.

  • Q: How do I choose a data masking algorithm based on a field's security level?

    A: You can select an algorithm that aligns with your business requirements:

    • S1 (Low Sensitivity): Data can be displayed in plaintext. No data masking algorithm is needed.

    • S2 (Moderate Sensitivity): A partial masking algorithm is a suitable choice.

    • S3 (High Sensitivity): Data is confidential. A full masking algorithm is recommended.