Decrypting reversible masked data (Masking flow)

For the obfuscating data options, you can choose to mask data with the Reversible option where you can reverse the masking to recover the original values. After the source data is masked and stored in a target database, you can recover the original values by programmatically decrypt the encrypted value in the target database.

To decrypt reversible masked data:

1. After the masking flow job run is complete, retrieve the masking configuration that was used in the job by using the following REST API:

curl -H "Authorization: Bearer ${token}" https://${SERVER}/dp/api/v1/jobs/${JOB_ID}/runs/${JOB_RUN_ID}

For more information about generating a Bearer token, see Creating an IAM bearer token.

2. Find and save the masking configuration in the following tables policy format:

tables[{"policy":"", ....},...]

3. Develop a Java™ program that reads the target table and initialize the masking library:

import com.ibm.research.privacy.magen.core.engine.*

String magenConfig = Files.readString("<Path_to_tables_policy>");
Magen magen = new Magen(magenConfig);

4. For each column that was reversibly masked, retrieve the key and seed that was used:

String encryptionKey = <Get_from_encryptionKeys[columnName]_of_magenConfig>.toBytes(); 
String seed          = <Get_from_seeds[columnName]_of_magenConfig>.toBytes();

5. For each value of a column that was reversibly masked, use the following API to reverse the encrypted values back to original values:

MetaData md = new MetaData();
metadata.put(columnName, "true"); // where columnName is the name of column that was reversibly masked
String originalValue = magen.process("<maskedValue>", metadata, new State(encryptionKey, seed), null);