Oracle Cloud Infrastructure Documentation

Deterministic Encryption

Purpose

The Deterministic Encryption masking format encrypts column data using a cryptographic key and Advanced Encryption Standard (AES 128). It supports format preserving encryption, meaning, the format of column data is preserved after encryption. For example, if you mask nine-digit numbers, the encrypted values also have nine digits.

Deterministic Encryption is a deterministic and reversible masking format. It is helpful when businesses need to mask and send their data to a third party for analysis, reporting, or any other business processing purpose. After the processed data is received from the third party, the original data can be recovered (decrypted) using the same seed value that was used to encrypt the data.

Inputs

  • Regular Expression: Provide a regular expression if you want to mask character or numeric type column. The specified regular expression must match all the original values in the column. If a value does not match the regular expression exactly, the masking format may no longer produce one-to-one mapping. Therefore, to ensure uniqueness, all the values must match the regular expression. The encrypted values also match the specified regular expression. Deterministic Encryption supports encryption of strings of fixed widths. The input supports a subset of the regular expression language and does not support * or + syntax in regular expressions.

    See Also:

    Regular Expressions to learn how to write regular expressions.
  • Start Date and End Date: Provide the date range to mask a date type column. The start date and end date should be in YYYY-MM-DD format. The start date must be less than or equal to the end date.

    All the original values in the column being masked must be within the specified range. If a column value is not in the range, the masking format may no longer produce one-to-one mapping. Therefore, to ensure uniqueness, all the original values must be within the specified range.

    The masking format generates dates within the specified range. Therefore, to ensure uniqueness, the total possible values in the range must be greater than or equal to the number of distinct original values in the column. If the column has a uniqueness constraint, Data Masking returns an error.

  • Seed Value: Deterministic Encryption uses a seed value to generate a cryptographic key for encryption and decryption. Provide the seed value at the time of submitting the data masking job. It can be any string containing alphanumeric characters.
  • Decrypt Option: If your masking policy has a sensitive column using the Deterministic Encryption masking format, you are shown the decrypt option while submitting the data masking job. Choosing this option, you can decrypt the encrypted column values.

Supported Data Types

  • Character
  • Numeric
  • Date

Characteristics

  • Combinable: No
  • Deterministic: Yes
  • Reversible: Yes
  • Uniqueness: Yes. Refer to the Inputs section to see specific conditions.

Example

Suppose you want to mask the column PHONE_NUMBER containing US phone numbers of format (999) 999-9999, where 9 specifies a digit. Also, you want to preserve the structure of the phone numbers. You can use the Deterministic Encryption masking format with regular expression [(][1-9][0-9]{2}[)][ ][0-9]{3}[-][0-9]{4} to generate phone numbers such as (123) 456-7890.