Data masking
Published 14 February 2018
During image creation, as of version 2.5.0, you can provide Clone with a masking set file to use with Data Masker 6. This allows you to sanitize your image before it can be used.
Once Clone has copied the data for the image, the agent will instruct Data Masker to run the rules specified in the masking set file on the image database. (Existing connection details in the masking set file will be ignored in favor of targeting the attached image database.) This will not affect the source database.
To perform masking, the agent will temporarily attach the image database to a SQL Server instance. See our documentation on where the image will be attached.
As noted above, masking occurs only after data copy. Because of this, we recommend that the image destination folder for images to be masked is accessible only to Clone agent accounts and trusted individuals.
Setting up Data Masker alongside Clone agents
To create a masked image, the SQL Clone agent will need to delegate the masking to Data Masker. If the agent detects that Data Masker isn't installed on its machine, it won't be able to mask images, and will not accept a masking set file.
- To create a masked image from a live database, install Data Masker on the same machine as the SQL Server instance hosting the live database.
- To create a masked image from a backup (.bak or .sqb), install Data Masker on the same machine as the temporary SQL Server instance specified during image creation.
Where do I get a masking set file?
Masking set files are generated using the Data Masker for SQL Server. They specify how to go about masking a database - what tables and columns to change, what data to use as replacement, and so on. See the Data Masker for SQL Server documentation, or access the training resources below, for more information.
You'll need to install Data Masker somewhere you can access, and use it to create your masking set file based on the database you're going to make masked images of.
Then you can save the masking set as a plaintext file to pass into the image modifications process.
Limitations
- You can't use a masking set created using Data Masker for SQL Server V7.1.33 and earlier that has multiple rule controllers with SQL Clone's imaging workflow. If using a Masking Set created using Data Masker for SQL Server V7.1.34 or later, this limitation does not apply. As Masking Sets created in V7.1.34 and later supports SQL Clone's imaging work flow for multiple Rule Controllers per database.
- There is a compatibility problem between SQL Clone and SQL Data Masker, which generates Executable not signed error when attempting to modify an Image with Data Masker as part of the image creation process:
- If using SQL Clone V5.4.21 or earlier, please ensure that you have SQL Data Masker V7.1.40 or earlier installed.
- If using SQL Clone V5.5.0 or later, please ensure that you have SQL Data Masker V7.1.41 or later installed.
Additional resources for Data masking
In addition to this documentation, the Redgate Hub offers the following resources to help you mask your data with Data Masker for SQL Server.
Redgate University online video class:
Getting started with Data Masker for SQL Server
Product learning technical 'how-to' article:
Getting Started with Data Masker for SQL Server: I Want to Mask A Database
Getting Started with SQL Data Masker: I Need to Mask some Columns