DbDefence 7.7 introduces data masking feature. Data masking allows selectively mask sensitive fields in tables. Selected users or applications sees original unmasked data, while others see mask instead of data.

In Masking mode DbDefence encrypts whole database transparently and selectively mask fields.

This feature is available in BETA version for SQL Server 2008 R2, 2012, 2014, 2016, 2017 on X64 platform only. Please contact for more information.


Let's suppose we have a table with some sensitive information.

The goal is to protects fields selectively:

field cardholder - mask completely.
field cardnumber - mask partially, leave last 4 digits.
field cvc - mask completely with 3 zeroes.

Step 1. Creating rules.

We need to prepare text file with masking rules. Start Notepad and create the following file:

In this picture you can see a rule file for 3 fields to be masked: cardholder, cardnumber, cvc.

Lines starting from '--' are comments and just ignored as well as empty lines. The first line of the rule a table name without quotes or [ ]. In this example, the table name is cards. The second line is a name of the field. In this example it is cardholder. Third line is a mask - value shown to unauthorized users. This is a value for SQL Server and it may contain functions as shown for cardnumber.

Step 2. Encryption

Encryption with masking currently available only from the command line tool. In this example we run:

dbencrypt64.exe -S .\sqlexpress -d test -p SecurePassword123 -a rules.txt -F

The tool can be found in API folder of DbDefence installation folder.

-a specifies rules file, -F stands for "Forcibly close existing connections".

You may apply masking to already encrypted database. However in this beta version you change masking for the object which already has masked field.

Step 3. Verification

Let's see how it affected the table. Some unauthorized user (no matter if it is DBA or not) select from the table:

Someone who knows the password unlocks the database.

IMPORTANT: In this example we unlock access manually. In real life you may unlock access by SQL login or by selecting applications.

and select rows:

All users may simultaneously access the table. Unauthorized users will see masked data, while authorized users sees real values.


  • INSERT and UPDATE works well when access is unlocked. When table shows masked values (locked mode) INSERT and UPDATE may fail. Please contact us if you need assistance with it.       
  • If you plan to use the database in locked and unlocked mode you need to test it. Some applications may behave unpredictably when they see masked data.
  • BACKUP doesn't store masking rules. You need to store/deploy .dbd_key files manually.
  • The table can't be renamed or deleted in locked mode. If object is renamed in unlocked mode, masking will work incorrectly.