Data security is paramount, especially when databases contain sensitive information such as Personally Identifiable Information (PII) or financial records. PostgreSQL’s Dynamic Data Masking feature allows you to protect sensitive data by hiding it from unauthorized queries. Combining this with pgcli, a popular command-line interface for PostgreSQL, opens the door to improved workflows without compromising on security.
This blog post dives into how you can use Dynamic Data Masking in PostgreSQL and leverage pgcli to query and manage masked databases seamlessly.
What is Dynamic Data Masking in PostgreSQL?
Dynamic Data Masking (DDM) is a technique in PostgreSQL that applies rules to mask sensitive columns dynamically at query runtime. It ensures that certain individuals or groups only see obfuscated or partial data, based on defined security policies. For example, an employee may view customer names as "****"instead of their actual values while the database remains unaltered.
Why Does Dynamic Data Masking Matter?
- Security: Prevent unintentional exposure of confidential data to unauthorized users.
- Compliance: Helps organizations meet privacy regulations like GDPR, CCPA, or HIPAA.
- Flexibility: Mask data dynamically without modifying the underlying table or disrupting applications.
When paired with pgcli, dynamic masking becomes more accessible during database management. You get a secure and seamless experience while handling queries or performing operations.
How to Set Up Dynamic Data Masking
Below is a step-by-step overview of implementing basic masking in PostgreSQL.
Step 1: Create a Sample Table
First, create a table with some sensitive data. For example:
CREATE TABLE employees (
id SERIAL PRIMARY KEY,
name VARCHAR(255),
salary NUMERIC,
ssn VARCHAR(11)
);
INSERT INTO employees (name, salary, ssn)
VALUES
('Alice', 90000, '123-45-6789'),
('Bob', 70000, '987-65-4321');
Step 2: Define Row-Level Masking Policies
PostgreSQL allows the use of row-level security (RLS) policies to restrict data visibility. You’ll need to enable RLS on the employees table.
ALTER TABLE employees ENABLE ROW LEVEL SECURITY;
CREATE POLICY mask_ssn_policy ON employees
USING (true)
WITH CHECK (true);
Step 3: Mask Sensitive Data
Now export query results with your desired masking rules. This example allows regular users to only see masked Social Security Numbers.
CREATE OR REPLACE FUNCTION mask_ssn(data TEXT)
RETURNS TEXT LANGUAGE SQL AS $$
SELECT right('***-**-', 7) || substring(data from 8);
$$;
CREATE POLICY ssn_mask_policy ON employees
USING (current_user = 'readonly_user')
WITH CHECK (true);
ALTER TABLE employees FORCE ROW LEVEL SECURITY;
Any query by unauthorized users (like readonly_user) will return partial or masked data based on the function.
Step 4: Query with pgcli
Using pgcli, you can verify how masked data looks directly from the command line. For example:
pgcli -U readonly_user -d example_db
SELECT * FROM employees;
Results will return masked ssn values, keeping sensitive columns secure.
Advantages of Using Pgcli for DDM Workflows
Pgcli significantly streamlines masking management:
- Full Autocompletion: Write policies, filters, and administrative queries faster.
- Formatted Outputs: Observe data transformations or masked results in clear table formats.
- Multi-Session Control: Immediately test user-query access using multiple authenticated connections.
Implementing dynamic data masking using pgcli eliminates the need to switch between different tools, enabling a focused and smooth process.
See It Live in Minutes
Hoop.dev simplifies PostgreSQL workflows, including advanced configurations like Dynamic Data Masking. Try it today and experience how quickly you can integrate and manage secure database masking policies. Secure your data in less time and with less complexity—take a look now.