Oracle Cloud Infrastructure Documentation

Deterministic Encryption


The Deterministic Encryption masking format encrypts column data using a cryptographic key and Advanced Encryption Standard (AES 128). The format of the column data after encryption is similar to that of the original values. For example, if you mask nine-digit numbers, the encrypted values also have nine digits.

Deterministic Encryption is a deterministic and reversible masking format. It is helpful when businesses need to mask and send their data to a third party for analysis, reporting, or any other business processing purpose. After the processed data is received from the third party, the original data can be recovered (decrypted) using the same seed value that was used to encrypt the data.


  • Regular Expression: Provide a regular expression if you want to mask character or numeric type column. The specified regular expression must match all the original values in the column. If a value does not match the regular expression exactly, the masking format may no longer produce one-to-one mapping. Therefore, to ensure uniqueness, all the values must match the regular expression. The encrypted values also match the specified regular expression. Deterministic Encryption supports encryption of strings of fixed widths. The input supports a subset of the regular expression language and does not support * or + syntax in regular expressions.

    See Also:

    Regular Expressions to learn how to write regular expressions.
  • Seed Value: Deterministic Encryption uses a seed value to generate a cryptographic key for encryption and decryption. Provide the seed value at the time of submitting the data masking job. It can be any string containing alphanumeric characters.
  • Decrypt Option: If your masking policy has a sensitive column using the Deterministic Encryption masking format, you are shown the decrypt option while submitting the data masking job. Choosing this option, you can decrypt the encrypted column values.

Supported Data Types

  • Character
  • Numeric


  • Combinable: No
  • Deterministic: Yes
  • Reversible: Yes
  • Uniqueness: Yes. Refer to the Inputs section to see specific conditions.


Suppose you want to mask the column PHONE_NUMBER containing US phone numbers of format (999) 999-9999, where 9 specifies a digit. Also, you want to preserve the structure of the phone numbers. You can use the Deterministic Encryption masking format with regular expression [(][1-9][0-9]{2}[)][ ][0-9]{3}[-][0-9]{4} to generate phone numbers such as (123) 456-7890.