Data Masking
The Data Masking Service provides data protection through masking, tokenization, and detokenization. It supports multiple masking strategies and can automatically select the appropriate strategy based on data classification.
Mask a Value
Apply a specific masking action to a single value:
POST /api/v1/governance/maskcurl -X POST "http://localhost:8080/api/v1/governance/mask" \
-H "Content-Type: application/json" \
-d '{
"value": "john.doe@company.com",
"actionType": "MASK",
"parameters": {
"maskingType": "PARTIAL",
"visibleChars": "4",
"maskChar": "*"
}
}'Response
{
"maskedValue": "john***************"
}Action Types
| Action Type | Description |
|---|---|
MASK | Replace characters with mask characters |
HASH | Replace value with a one-way hash |
ENCRYPT | Encrypt the value (reversible) |
TOKENIZE | Replace with a token (reversible via token vault) |
NULLIFY | Replace with null |
REDACT | Replace with "[REDACTED]" |
DENY | Block access entirely |
Masking Parameters
| Parameter | Description |
|---|---|
maskingType | FULL (all characters), PARTIAL (preserve some), PATTERN (regex-based) |
visibleChars | Number of visible characters for partial masking |
maskChar | Character used for masking (default: *) |
preserveFormat | Keep the original format (e.g., XXX-XX-1234 for SSN) |
Auto-Mask by Data Category
Automatically select the masking strategy based on the data's classification category:
POST /api/v1/governance/mask/autocurl -X POST "http://localhost:8080/api/v1/governance/mask/auto" \
-H "Content-Type: application/json" \
-d '{
"value": "123-45-6789",
"category": "PII"
}'Response
{
"maskedValue": "***-**-6789"
}Default Masking by Category
| Category | Default Strategy |
|---|---|
PII | Partial mask (last 4 visible) with format preservation |
PHI | Full mask |
PCI | Partial mask (last 4 digits visible): ****-****-****-1234 |
FINANCIAL | Hash |
Batch Mask
Mask multiple values with different strategies in a single request:
POST /api/v1/governance/mask/batchcurl -X POST "http://localhost:8080/api/v1/governance/mask/batch" \
-H "Content-Type: application/json" \
-d '{
"ssn": {
"value": "123-45-6789",
"actionType": "MASK",
"parameters": { "maskingType": "PARTIAL", "visibleChars": "4", "preserveFormat": "true" }
},
"email": {
"value": "john@company.com",
"actionType": "HASH",
"parameters": {}
},
"credit_card": {
"value": "4111-1111-1111-1111",
"actionType": "TOKENIZE",
"parameters": {}
}
}'Response
{
"ssn": "***-**-6789",
"email": "a8b7c6d5e4f3....",
"credit_card": "tok_abc123def456"
}Tokenization & Detokenization
Tokenization replaces sensitive values with non-sensitive tokens. The original values are stored in a secure token vault and can be retrieved by authorized users.
Tokenize (via mask with TOKENIZE action)
curl -X POST "http://localhost:8080/api/v1/governance/mask" \
-H "Content-Type: application/json" \
-d '{
"value": "4111-1111-1111-1111",
"actionType": "TOKENIZE",
"parameters": {}
}'Response: { "maskedValue": "tok_abc123def456" }
Detokenize
Retrieve the original value from a token:
POST /api/v1/governance/detokenizecurl -X POST "http://localhost:8080/api/v1/governance/detokenize" \
-H "Content-Type: application/json" \
-d '{
"token": "tok_abc123def456"
}'Response
{
"maskedValue": "4111-1111-1111-1111"
}Note: Detokenization requires elevated permissions and is fully audited.
Source Reference
| Component | File |
|---|---|
| Mask endpoint | GovernanceController.java -- maskValue() |
| Auto-mask | GovernanceController.java -- autoMaskValue() |
| Batch mask | GovernanceController.java -- batchMask() |
| Detokenize | GovernanceController.java -- detokenize() |
| Masking service | DataMaskingService.java |