configure
Configuration
The extension has currently a few options that be defined for the entire
instance ( inside postgresql.conf or with ALTER SYSTEM).
It is also possible and often a good idea to define them at the database level like this:
ALTER DATABASE customers SET anon.restrict_to_trusted_schemas = on;Only superuser can change the parameters below :
anon.algorithm
| Type | Text |
| Default value | ‘sha256’ |
| Visible | only to superusers |
This is the hashing method used by pseudonymizing functions. Checkout the pgcrypto documentation for the list of avalaible options.
See anon.salt to learn why this parameter is a very sensitive information.
anon.maskschema
| Type | Text |
| Default value | ‘mask’ |
| Visible | to all users |
The schema (i.e. ‘namespace’) where the dynamic masking views will be stored.
anon.restrict_to_trusted_schemas
| Type | Boolean |
| Default value | off |
| Visible | to all users |
By enabling this parameter, masking rules must be defined using functions
located in a limited list of namespaces. By default, pg_catalog and anon
are trusted.
This improves security by preventing users from declaring their custom masking filters.
This also means that the schema must be explicit inside the masking rules. For instance, the rules below would fail because the schema of the lower function is not declared.
SECURITY LABEL FOR anon ON COLUMN people.name
IS 'MASKED WITH FUNCTION lower(people.name) ';The correct way to declare it would be :
SECURITY LABEL FOR anon ON COLUMN people.name
IS 'MASKED WITH FUNCTION pg_catalog.lower(people.name) ';This parameter is kept to off in the current version to maintain backward
compatibility but we highly encourage users to switch to on when possible.
In the forthcoming version, we may define on as the default behaviour.
anon.salt
| Type | Text |
| Default value | (empty) |
| Visible | only to superusers |
This is the salt used by pseudonymizing functions. It is very important to define a custom salt for each database like this:
ALTER DATABASE foo SET anon.salt = 'This_Is_A_Very_Secret_Salt';If a masked user can read the salt, he/she can run a brute force attack to retrieve the original data based on the 3 elements:
- The pseudonymized data
- The hashing algorithm (see
anon.algorithm) - The salt
The GDPR considered that the salt and the name of the hashing algorithm should
be protected with the same level of security that the data itself. This is
why you should store the salt directly within the database with ALTER DATABASE.
anon.sourceshema
| Type | Text |
| Default value | ‘public’ |
| Visible | to all users |
The schema (i.e. ‘namespace’) where the tables are masked by the dynamic masking engine.
Change this value before starting dynamic masking.
ALTER DATABASE foo SET anon.sourceschema TO 'my_app';Then reconnect so that the change takes effect and start the engine.
SELECT start_dynamic_masking();