“Data Masking for PostgreSQL” (pg_datamask) is an extension for PostgreSQL provided by CYBERTEC, which allows you to limit the exposure of sensitive data, by masking it. If you want to provide real world testing data to your developers, “Data Masking for PostgreSQL” is the best way to proceed. Our extension will ensure that real data is never exposed to software developers while still ensuring that the characteristics of your data are preserved to allow realistic testing.

Securing data: The need for data masking

Masking data is not just a nice thing to have – it might even be required by law. Therefore, Cybertec provides a means to help PostgreSQL users protect their data.

What data masking can do for you:

  • Prevent data proliferation: The problem of data proliferation is affecting all areas of business and it can gravely affect the profitability of your businesses.
  • Conform to legal requirements: In recent years, various regulations and legal requirements such as PCI-DSS, GDPR (European Union General Data Protection Regulation) have been created to ensure private data stays private.
  • Protect secret information: In many cases, companies are working with highly critical data, which should not be seen by potential competitors.

Data masking is a solution to solve these problems in the most elegant way.

How data masking for PostgreSQL works

Our module hooks into the PostgreSQL core and processes data, while it is streamed out.
The way it works from a user’s point of view is to create a masked backup, which can then be used by developers to work on fully encrypted data. The advantage of the process is that developers are always clearly separated from the production system and there is no potential risk of a leak.


Here is how the process works:

  1. Configure PostgreSQL for data masking
  2. Build a model to handle encryption
  3. Create a user to create secure backups
  4. Take a masked backup
  5. Provide the secure backups to your developers


Customized masking vs. generic masking


Currently there are two options available to cypher data:

• Generic masking: We ship a ready made function, which is suitable for most people
• Custom built code: You can write your own functions to mask your data

Writing your custom code gives you all the flexibility you need to handle data the way you want.
If you just want to go the fast route, we will provide you with a ready made solution to handle your data. It allows you to get started quickly.

Generic masking: Our masking library

We have written a library, which allows you to choose how to mask specific data types. It allows you to easily customize your masking process while still providing a lot of efficiency because our library already provides a lot of functionality for the most typical use cases.

Our library has all you need:

  • Simple replacements for very basic needs
  • Full irreversible encryption

Limitations and side notes:

NULL fields will not be masked as the content is already “unknown” anyway.
It can also happen in some rare cases that CHECK constraints (e.g. CHECK (field < 100)) will fail on replay. To get around that, you have to write your own hand written cypher function or just ignore those failures on replay. The reason is that some constraints are so restrictive that automatic masking might not lead to reliable encryption, so we give the user the chance to decide on how to handle those cases directly.

Professional help

Contact us today for your personal offering. We offer you fast delivery, professional work and years of PostgreSQL experience.

Contact us!