All posts
August 25, 20222 min read

Dynamic Data Masking in pgcli: Secure Your Data Like a Pro

Data privacy is critical, especially when working with sensitive information in databases. One effective strategy is Dynamic Data Masking (DDM). Using DDM with pgcli, a popular command-line interface for PostgreSQL, allows you to secure sensitive data efficiently while maintaining access for authorized users. In this post, we'll explore what dynamic data masking is, why it's valuable, and how to set it up using pgcli. By the end, you’ll be ready to implement DDM seamlessly and improve your orga

Free White Paper

Data Masking (Dynamic / In-Transit) + VNC Secure Access: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Andrios Robert

Data privacy is critical, especially when working with sensitive information in databases. One effective strategy is Dynamic Data Masking (DDM). Using DDM with pgcli, a popular command-line interface for PostgreSQL, allows you to secure sensitive data efficiently while maintaining access for authorized users.

In this post, we'll explore what dynamic data masking is, why it's valuable, and how to set it up using pgcli. By the end, you’ll be ready to implement DDM seamlessly and improve your organization’s data security practices.

What Is Dynamic Data Masking?

Dynamic data masking is the process of hiding or obfuscating certain parts of your database's data while still allowing essential operations, like queries or inserts. Instead of revealing sensitive fields like emails or credit card numbers in plain text, the data will appear partially masked, such as displaying only the last four digits of a credit card.

Key Benefits of Data Masking:

  • Enhanced Security: Helps minimize exposure of sensitive data to unauthorized users.
  • Compliance: Assists in meeting regulatory mandates, such as GDPR, HIPAA, or PCI DSS.
  • Controlled Access: Simplifies role-based access for different teams or users.

You won’t need to duplicate or completely restructure your database to implement DDM. Dynamic masking is processed in real time and does not permanently modify the data.

Why Use Dynamic Data Masking with pgcli?

pgcli is a user-friendly yet powerful tool for interacting with PostgreSQL databases. Its autocomplete and syntax highlighting features make it a popular choice among engineers. By integrating dynamic data masking into your database workflows through pgcli, you can:

  1. Secure Queries in Real Time: Execute SQL commands while ensuring sensitive fields are masked.
  2. Simplify Development Efforts: Masking is done dynamically, requiring minimal changes to existing applications.
  3. Collaborate Safely: Let your team query databases without risking unauthorized access to private data.

Setting Up Dynamic Data Masking in PostgreSQL

Adding data masking to PostgreSQL involves a combination of database roles, policies, and functions. With the right setup, pgcli queries will automatically mask sensitive data based on each user's permissions.

Steps to Implement Dynamic Data Masking:

1. Define Sensitive Data

Identify which columns require masking, such as:

Continue reading? Get the full guide.

Data Masking (Dynamic / In-Transit) + VNC Secure Access: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.
  • Email addresses
  • Social Security Numbers
  • Banking details

2. Create a Masking Function

Write a PostgreSQL function that transforms the sensitive data. For example, this function masks all but the last four characters of a column:

CREATE OR REPLACE FUNCTION mask_data(input TEXT)
RETURNS TEXT AS $$
BEGIN
 RETURN 'XXXX-XXXX-' || RIGHT(input, 4);
END;
$$ LANGUAGE plpgsql IMMUTABLE;

3. Use Security Policies

Leverage PostgreSQL’s Row-Level Security (RLS) to control who can see masked vs. unmasked data. First, enable RLS:

ALTER TABLE sensitive_table ENABLE ROW LEVEL SECURITY;

Then, create policies to handle the masking:

-- Masked view for general users
CREATE POLICY mask_policy
ON sensitive_table
FOR SELECT
USING (true)
WITH CHECK (true);

-- Allow unmasked data for admin users
CREATE POLICY unmask_policy
ON sensitive_table
FOR SELECT
USING (current_user = 'admin_user')
WITH CHECK (current_user = 'admin_user');

4. Apply the Mask in Queries

When general users interact with the table, they’ll see masked data automatically:

SELECT mask_data(email) AS masked_email FROM sensitive_table;

Authorized users or admins can run standard queries without masks, ensuring both security and usability.

Testing Masking with pgcli

Once the setup is complete, fire up pgcli and connect to your database:

pgcli -h localhost -U your_user_name -d your_database_name

Run sample queries to verify the behavior for different user accounts. Ensure:

  • Non-admin users see masked columns.
  • Admin users see raw data.

The masking logic should seamlessly adapt based on user roles.

Elevate Your Database Security Workflow

Dynamic data masking is an essential tool for securing sensitive data with minimal changes to your database architecture. By combining PostgreSQL’s masking capabilities with the ease of pgcli, you can ensure your data remains private without hampering usability.

Want to see how dynamic data masking works in action? With Hoop, you can connect, configure, and test masking workflows within minutes. Experience the easiest way to manage secure queries—try Hoop today!

Get started

See hoop.dev in action

One gateway for every database, container, and AI agent. Deploy in minutes.

Get a demoMore posts