SQL Server 2016 – Data Masking

Another feature of SQL Server 2016 is dynamic data masking. This can be used to protect sensitive information (like a social security number or a credit card number) from being displayed in query results without affecting the underlying data. This can be set up without any application changes or any changes to existing queries or stored procedures.
Either a default mask can be used, or a custom mask can be defined.

I’m running 2016 CTP 2.0, so I’ll need to set some trace flags in order to use masking.

dbcc traceon(209,219,-1)

This isn’t needed for CTP 2.1 or later.

We can set up masking when we create our table. We’ll use the default masks in this example.

create table dbo.TestTable(
RecordId int not null identity(1,1) primary key,
Name varchar(30) not null,
SSN varchar(9) masked with (function = 'default()') not null,
CreditCardNumber varchar(16) masked with (function = 'default()') not null

I had originally used the ‘char’ data type for SSN, but masking didn’t work for that data type.
To view the masks, you’ll need to use a non-admin user to run your select query. Once that is done we’ll see ‘XXXX’ in the SSN and CreditCardNumber columns.
RecordId Name SSN CreditCardNumber
1 Record1 xxxx xxxx

For numeric columns we’ll see ‘0’ and date types are masked as ‘2000-01-01′.

There is also an ’email()’ function for masking. So the address ‘user@domain.com’ would be masked as ‘uXXX@XXXX.com’.

Custom Masking:
We can also define a custom masking function using ‘partial’. This will take 3 parameters: prefix, padding and suffix.
So for SSN, we can decide to mask the first 5 digits and allow the last 4 digits to be exposed.

SSN varchar(9) masked with (function = 'partial(0, "XXXXX", 4)') not null

will mask the value ‘000000000’ as ‘XXXXX0000’.

More Information:


One Response to SQL Server 2016 – Data Masking

  1. […] I’ll follow up in the coming weeks with more detailed posts on some of these features. SQL Server 2016 – Temporal Tables SQL Server 2016 – Data Masking […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: