Working with masking rules using API or command line tool

• Setup database encryption with masking

If Encryptor sees a masking rule for the object, it removes all existing masking on an object and applies all new ones defined in a rule file.

For convenience, it is better to keep rules for each object in its own file. So, it can be managed more easily. For example, you may keep masking rules in rules_table1.txt, rules_table2.txt etc.

Listing

Masked objects can be listed only when a database is unlocked explicitly with the encryption password:

use mydb
open symmetric key dbdx decryption by password='MyPassword'
exec dbd_list_masked

Deletion

Masks can be removed only from the whole object. If you want to remove masking from a column, redefine rules without that column. You can just comment with '--'.

Masks can be removed from an object with the command switch -z:

dbencrypt.exe -S server -p encryption_password -d dbname -z objname

Masks can be removed for a whole database. It can be done with -Z:

dbencrypt.exe -S server -p encryption_password -d dbname -Z

Additionally, you may delete all masks from the object by specifying its name with preceding symbol '!'. For example, the following rules file will remove masking only from objects table1 and table2:

!table1
!table2 

A single mask can't be removed without redefining other masks for the object. If you need to unmask a column, redefine masking rules without this specific column. Let's say table1_rules.txt contains:

table1
colA
N'*'

table1
colB
N'*'

table1
colC
N'*'

If you want to unmask colB, re-apply rules files without colB:

table1
colA
N'*'

table1
colC
N'*'

For convenience, you may comment it out:

table1
colA
N'*'

--table1
--colB
--N'*'

table1
colC
N'*'

Addition

In the same way, you can't add a single mask and assume the rest of masks for the object will be unchanged. The addition requires redefinition of all other rules for the object. If you add mask for colB, redefine all others masks for the object:

table1
colA
N'*'

table1
colB
N'*'

table1
colC
N'*'

If you want to mask columns in other tables, you may create another rules file, for example, table2Rules.txt. It is better to keep masks information structured, store it in a separate file for each masked object:

table2
SecretfieldA
N'*'

table2
SecretfieldB
N'*'

table2
SecretfieldC
N'*'

This file contains rules only for table2. So, other masked objects remain unchanged when this rule file is applied. If there are many rule files, this is the Windows command line command to apply all .txt files. You may change extension of files to .rules

forfiles  /m *.txt /c "cmd /c dbencrypt64.exe -S .\servername 
-d dbname -p SuperPassword -a @file"

The command will consequently search for all .txt files in the current dir and apply it with dbencrypt64.exe command.

Changing existing mask

Simply redefine a mask in a rules file and apply it.