google-cloud-platformencryptiongoogle-cloud-dataflowgoogle-cloud-spanner

Can you mask confidential data in GCP - Spanner?


Is it possible to mask data items in one of the spanner columns where the data is confidence.

E.G spanner has 3 columns Name, DOB, Address.

Is there any way DOB can be masked/encrypted in the spanner UI OR would all encryption and decryption to be done at code level?

(I am aware of setting access to spanner etc but asking specifically if the data can be masked)


Solution

  • Up front - Cloud Spanner automatically encrypts all data when stored: https://cloud.google.com/spanner/docs/cmek

    That is however as I understand your question not what you are looking for. My understanding is that you would like one or more columns to be encrypted/obfuscated to any/some? reader(s).

    Encrypting is only possible at the application level. Your application would need to encrypt the data before writing it to Cloud Spanner.

    If you can suffice with just obfuscating the data, for example if you want to prevent people from accidentally showing it to people standing behind their desk while executing a query, then you could for example use a combination of the following:

    CREATE TABLE MyTable (
      Name STRING(100),
      FOB STRING(MAX),
      FOB_Obfuscated BYTES(MAX) AS (TO_BASE64(FOB)) STORED,
      Address STRING(200),
    ) PRIMARY KEY (Name);
    
    CREATE VIEW MyView SQL SECURITY INVOKER AS
    SELECT Name, FOB_Obfuscated AS FOB, Address
    FROM MyTable;
    
    CREATE ROLE reader_role;
    GRANT SELECT ON VIEW MyView TO ROLE reader_role;