Privacera Platform master publication

Masking schemes


Unlike some encryption schemes, which allow for decryption, a masking scheme is always a one-way transformation. There is no reversing the mask. The original string is completely replaced and cannot be unmasked.

Masking techniques

Masking has the following transformations, or techniques:

  • Nullify: the original string is nulled, completely removed.

  • Redaction: The original string is overwritten with a masking character you specify or with the default x. You can redact the string with that character, which is repeated five times. You can also redact with that character but retain the format and length of the original string, which preserves all special characters in the original string but replaces the alphanumeric characters with the specified masking character. Examples with masking character x:

    • Original string:

    • Result without maintaining format and length: xxxxx

    • Result with maintaining format and length:

Masking with the Encryption REST API

You use a masking scheme on the /protect REST API endpoint, with input to /protect in the a JSON structure similar to that used with an encryption scheme.

Because masking is one-way, you should not use it with the /unprotect endpoint, which is for decryption. Using a masking scheme with /unprotect returns an error.

You can combine masking and encryption in a single API request, so that you encrypt some fields and mask other fields at the same time.