Protect Sensitive Data with Custom Masking Algorithms - Data Management

When a call center agent queries a customer's phone number, they should see ***-***-1234 instead of the full number. When a developer queries production data for troubleshooting, they should work with masked values rather than real PII. In Database Management (DMS), you configure data masking algorithms on sensitive fields. DMS then applies those algorithms automatically whenever the field is queried or exported through DMS.

This topic explains how to create a data masking algorithm and apply it to sensitive fields.

Prerequisites

Before you begin, make sure that:

Your system role is administrator, database administrator (DBA), or security administrator. To check your role, see View system roles
The sensitive data protection feature is enabled for your instance and a sensitive data scan task has been created. See Enable the sensitive data protection feature

Usage notes

DMS applies masking algorithms when you:
- Query data in the SQL Console
- Submit a database export ticket
- Access the instance through the proxy endpoint of the secure access proxy feature
Note
Masking does not apply when you query data with tools outside of DMS.
In instances with security hosting enabled: if you configure a partial masking rule on a field, users must have partial masking permissions to view the partially masked data. Without those permissions, the field displays as fully masked. To grant partial masking permissions, see Manage permissions.
Creating a data masking algorithm does not automatically apply it to any field. After creating the algorithm, change the algorithm assignment for each target sensitive field.

Choose an algorithm

Select an algorithm based on the sensitivity level of the field:

Sensitivity level	Recommendation
Low (S1)	No masking required — display in plaintext
Moderate (S2)	Partial masking algorithm
High (S3)	Full masking algorithm

DMS provides the following algorithm types:

Hash

Converts field values to a fixed-length digest. Hashed values cannot be reversed.

Algorithm	Output
MD5	128-bit (16-byte) hash
SHA1	160-bit (20-byte) hash
SHA256	256-bit hash
HMAC	Hash authenticated with a key

Cover up

Replaces part or all of a field value with a fixed cover string.

Algorithm	How it works	Example
Full cover	Masks the entire value	Phone `1381111**` with cover string `*******` → `*********`
Fixed position cover	Masks a fixed character range	IP `192.168.255.254`, position `(5,7)` → `192.***.255.254`
Fixed character mask	Masks a specific substring	Email `username@example.com`, mask `example` → `username@*******.com`

Replacement

Replaces part of a field value with another value.

Algorithm	How it works	Example
Map replacement	Replaces specific strings with mapped substitutes. Separate multiple source strings with commas (,). The number of source strings must equal the number of replacement strings.	String `abcd`, replace `ab` with `mn` → `mncd`
Random replacement	Replaces a character range with random characters from a specified set. If you specify two or more characters, the result varies on each run.	Email `username@example.com`, position `(1,8)`, random chars `abc` → `acbbbbac@example.com`

Transformation

Adjusts numeric or date values to reduce precision.

Algorithm	How it works	Example
Number rounding	Rounds down to the specified number of leading digits	`1234.12`, keep 2 digits → `1230`
Data rounded	Truncates a datetime to a specified unit	`2021-10-14 15:15:30`, round to hour → `2021-10-14 15:00:00`
Character displacement	Shifts characters leftward in a loop	`345678`, shift 2 → `567834`

Encryption

Encrypts field values using a symmetric cipher. The result is stored as ciphertext.

Algorithm	Key length	Output length
DES	8 characters	16 characters
AES	16 characters	32 characters
AES encryption-enhanced	No limit	32 characters

Decryption

Decrypts ciphertext that was previously encrypted by DMS.

Algorithm	Decrypts
AES decryption	Data encrypted with AES
AES decryption-enhanced	Data encrypted with AES encryption-enhanced

Plaintext

Displays the field value without any masking. Use this for low-sensitivity (S1) fields where you need to explicitly configure an algorithm.

Create a data masking algorithm

Log on to the DMS console V5.0.
Move the pointer over the icon in the upper-left corner and choose All Features > Security and Specifications (DBS) > Sensitive Data > Rule Configurations.
Note
In normal mode, choose Security and Specifications (DBS) > Sensitive Data > Rule Configurations from the top navigation bar.
Move the pointer over the icon in the upper-left corner and choose All Features > Security and disaster recovery (DBS) > Sensitive Data > Rule Configurations.

Note
If you use the DMS console in normal mode, choose Security and disaster recovery (DBS) > Sensitive Data > Rule Configurations in the top navigation bar.
Click the Data Masking Algorithm tab, then click Add Data Masking Algorithm.
In the New Algorithm panel, select the algorithm type and configure its parameters.
Test the algorithm before saving: For example: raw value 345678, type Transformation > Character displacement, shift 2 → expected result 567834.
1. Enter a sample raw value in the test field.
2. Click Test.
3. Verify the masked output matches your expectations.
Click Submit.
Note
By default, DMS applies the built-in DEFAULT rule to sensitive data. To apply your custom algorithm to specific fields, complete the next procedure. See also Manage sensitive data.

Apply the algorithm to sensitive fields

After creating an algorithm, assign it to the sensitive fields where it should take effect.

Log on to the DMS console V5.0.
Move the pointer over the icon in the upper-left corner and choose All Features > Security and Specifications (DBS) > Sensitive Data > Sensitive Data Assets.
Note
In normal mode, choose Security and Specifications (DBS) > Sensitive Data > Sensitive Data Assets from the top navigation bar.
Move the pointer over the icon in the upper-left corner and choose All Features > Security and disaster recovery (DBS) > Sensitive Data > Sensitive Data Assets.

Note
If you use the DMS console in normal mode, choose Security and disaster recovery (DBS) > Sensitive Data > Sensitive Data Assets in the top navigation bar.
In the Instance List section, find your instance and click Sensitive Data List in the Operation column.
On the Field Control tab, select the fields you want to update.
Click Adjust Data Masking Algorithm in the upper-left corner.
In the Data Masking Algorithm must be selected dialog box, select Default desensitization algorithm or semi-desensitization algorithm, specify the algorithm, then click Save.
Note
To reset a field to the DEFAULT algorithm, click Reset Data Masking Algorithm in the Operation column for that field.

FAQ

Which algorithm does DMS use when both a default masking algorithm and a partial masking algorithm are configured for the same field?

DMS uses the partial masking algorithm. If the user viewing the data does not have permissions to access partially masked or plaintext sensitive fields, DMS falls back to the default masking algorithm.

How do I choose between a partial masking algorithm and a full masking algorithm?

Match the algorithm to the sensitivity level of the field. For low-sensitivity fields (S1), no masking is needed — display in plaintext. For moderately sensitive fields (S2), such as email addresses and phone numbers, use a partial masking algorithm so users can recognize the general pattern without seeing the full value. For highly sensitive fields (S3), such as passwords or financial data, use a full masking algorithm so the entire value is concealed.