Dynamic data masking with deterministic values

Aravindhan Ravichandran 20 Reputation points
2024-04-24T06:20:07.5333333+00:00

I would like to check for data masking solution when reading data from a SQL Server database.

To elaborate further, the data elements should be encrypted/masked when a set of users querying the tables. The data stored at rest should be clear (i.e. unmasked/ not encrypted).

Also, the masking values should be consistent(deterministic) across the database. E.g. if a username john - masked/encrypted to xyz in schema 1 table a, schema 2 table b should have the same masked/encrypted value for the same user. So that we can join the cross-schema tables.

Key notes:

  1. Data at rest should be in clear form i.e. unchanged from source.
  2. Encryption/masking should be deterministic.

I have explored the SQL Server TDE & DDE options but doesn't suit my requirements.

Would like to hear from experts who handled such a requirement in a SQL Server database.

Thanks in advance!

SQL Server
SQL Server
A family of Microsoft relational database management and analysis systems for e-commerce, line-of-business, and data warehousing solutions.
14,305 questions
{count} votes

Accepted answer
  1. Erland Sommarskog 115.4K Reputation points MVP
    2024-04-29T21:05:58.1066667+00:00

    You could also use the HASHBYTES function to produce your masked values.


1 additional answer

Sort by: Most helpful
  1. LiHongMSFT-4306 29,826 Reputation points
    2024-04-24T07:16:03.47+00:00

    Hi @Aravindhan Ravichandran

    How about encrypting data by using a symmetric key.

    See these docs: ENCRYPTBYKEY (Transact-SQL); CREATE SYMMETRIC KEY (Transact-SQL)

    Best regards,

    Cosmog Hong


    If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.