Skip to main content

Privacera Documentation

Masking schemes

Masking schemes are one-way transformations of data that do not allow for decryption. Once a masking scheme is applied, the original data is completely replaced and cannot be unmasked.

Masking techniques

There are two different techniques that a masking scheme can use to mask your data:

  • Nullify: the original string is completely removed

  • Redaction: the original string is overwritten with a masking character. You can specify a masking character, or use the default x.

    You can redact a string with a masking character that is repeated five times, or you can retain the format and length of the original string. This preserves all of the special characters in the original string and replaces the alphanumeric characters with the masking character.

    For example:

    • Original string:somebody@BigCo.com

    • Result without maintaining format and length:xxxxx

    • Result with maintaining format and length:xxxxxxxx@xxxxx.xxx

Masking with the Encryption REST API

Masking schemes use the /protect REST API endpoint. Input to /protect must be in JSON format.

Because masking is one-way, do not use masking schemes with the /unprotect endpoint. Using a masking scheme with /unprotect returns an error.

You can combine masking and encryption in a single API request, so that you encrypt some fields and mask other fields at the same time.