Data Masking

Overview

Data masking (Data Masking) is an important data security protection technology that effectively prevents privacy data leakage by deforming, replacing or hiding sensitive information.

Main sensitive information protected:

  1. Personal identity information: ID numbers, passport numbers, etc.
  2. Financial account information: Bank card numbers, credit card numbers, etc.
  3. Contact information: Phone numbers, fixed-line numbers, email addresses, etc.
  4. Other sensitive data: Social security numbers, medical record numbers, salary information, etc.

Common data masking methods:

  • Replacement: Such as replacing middle four digits of phone number with *
  • Encryption: Use encryption algorithms to encrypt data for storage
  • Perturbation: Random offset for numeric data
  • Deletion: Directly remove sensitive fields

Overall Architecture

ShardingSphere’s encryption module adopts a lightweight integration solution, mainly implemented through Encrypt-JDBC component.

Workflow:

  1. Integration method: Encrypt-JDBC is directly embedded in business applications as a Java library
  2. Workflow:
    • During write: Automatically encrypt sensitive fields
    • During query: Automatically decrypt result set

Core features:

  • Transparent processing: No business code modification required
  • Flexible configuration: Supports fine-grained control at field level
  • Algorithm extension: Allows custom masking algorithm implementation

Processing Flow

ShardingSphere maps logical columns to plaintext and ciphertext columns. When using Encrypt-JDBC for CRUD operations, the processing flow includes:

  1. SQL request interception phase
  2. SQL parsing and understanding phase
  3. Masking rule matching phase
  4. Data encryption/decryption processing phase
  5. Database interaction phase

Masking Rules

1. Encryptor Configuration

encryptors:
  aes_encryptor:
    type: AES
    props:
      aes-key-value: 123456abc
  md5_encryptor:
    type: MD5

2. Masking Table Configuration

tables:
  t_user:
    columns:
      phone:
        cipherColumn: phone_cipher
        plainColumn: phone_plain
        logicColumn: phone
        encryptor: aes_encryptor

3. Query Property Configuration

props:
  queryWithCipherColumn: true

Strategy Analysis

ShardingSphere provides two encryption strategies:

Encryptor

  • encrypt(): Used for encryption processing before data writing
  • decrypt(): Used for decryption processing after data reading

QueryAssistedEncryptor

A more secure and complex masking solution that ensures the same data produces different encryption results in different scenarios by introducing a changing seed.

Core functions:

  • encrypt: Encryption method
  • decrypt: Decryption method
  • queryAssistedEncrypt: Assisted query encryption method