Managing PK in SDM when encripted using masking

  • KM03639970
  • 14-May-2020
  • 14-May-2020


Databases have the feature setting masking on data, it means, encrupted data to procect information. So here we clarify concepts and how SDM works on that.


Some customers are using scripted primary key (PK) data from tables, same as use masking PK data, however, does BF give issues when Pks are used in SDM.. 


This above represents a question #1:
Documentation on SDM talking about that, in two guides, but information given is not clear enough.
So, at the end, SDM admin or tech customer got confused about it.
Question #2: What documentation refers to?
Reviewing developers guide Page 19, Chapter 4: Advanced data masking says the following:
  • Masking of primary keys is supported for copy jobs in non-intrusive environments only. If you
    choose to mask a primary key, you should always choose a reversible mask. Otherwise, when you
    reload the data into a database, your primary key values are lost, and your table may no longer
    behave as expected.
Troubleshooting guide page 18, chapter: Diagnose data masking problems says the following:
  • IMPORTANT: Masking primary keys is currently unsupported. (we believe it is referring to both environments non-intrusive and intrusive)
What does interpretation mean?
it’s confusing. While going through it, I find that developers guide talks about D2F whereas troubleshooting guide talks about IPM.
In case of D2F, there is no problem because for CSV (or XML/JSON), there is no need to maintain the relationship between the tables. Yes, when you want to upload/reload the data you want the relationship back and you can get back the relationship only if you use reversible masking functions.
In case of IPM, since the data is changed in the source DB itself, when the primary key is changed there could be a unique key constraint issue. We can overcome this by temporarily removing unique/primary key constraint on PK column and bringing it back after masking. To illustrate this, let us say you have used SSN as primary key in a person table. Person X’s SSN is 123-456-789 and person Y’s SSN is 456-789-123. Let’s say we use FPE function SecureData_SSN and while applying it to X’s SSN it produces SSN 456-789-123 but it is already in the table (for person Y) and you will have unique key violation.
Additional References at:
Read SDM runtime guide and developers guide.