Skip to main content

Protect sensitive data with format-preserving encryption and data masking

Enterprises need to protect sensitive data and reduce the scope of compliance audits by obfuscating data, so it is meaningless to anyone who might steal it. However, these enterprises frequently need to maintain the format of the data, so they can work with it in ways that don’t require some or all of the data in clear text. Traditional data encryption cannot preserve the data’s original format or support data masking.

An increasingly popular way to address these challenges is to tokenize sensitive data. Tokenization is particularly useful for cloud applications, because data can be protected before being sent to the cloud. This helps data owners maintain agility while complying with personal data protection regulations.

Entrust tokenization solution

The Entrust tokenization solution, delivered by the Entrust Data Protection Solutions Professional Services team, converts plain text data to format-preserving tokens that cannot be traced back to the original data except through secure de-tokenization. The underpinning cryptographic keys are protected by FIPS 140-2 and Common Criteria certified Entrust nShield® hardware security modules (HSMs), and the solution aligns with the compliance requirements of personal data protection laws.

The Entrust tokenization solution can pseudonymize data while preserving its original format, and it also supports data masking.

tokenization illustration

Data masking

Data masking is useful when organizations need to export data to third parties. Data is masked through the use of user-defined rules that define the format of the masked data. Masking can be combined with fixed-format encryption (FFE) to define the output format of the token.

For example, a credit card number can be tokenized using FFE to produce a number that is formatted like a credit card. As an example, a credit card like 4321-1234-1234-6789 could be tokenized to 4623-3221-5316-6789, with a rule that preserves the last 4 digits of the original card. The same card could also be masked to produce a result of xxxx-xxxx-xxxx-6789, to be printed on receipts or in transaction registers. In either case, the output is determined based on your rules and requirements.


The Entrust tokenization solution is a RESTful web service running on both Windows and Linux platforms. Administrators can configure tokenization profiles with a web UI, and application developers can integrate the solution with RESTful APIs. Implemented as a microservice, the solution is a self-contained package that is simple to deploy, manage, and maintain, and provides performance and scalability to an unlimited number of servers.

Audit logging

As an additional security control, the solution provides detailed logging of common operations (e.g. tokenization, de-tokenization, masking, etc.), as well as audit logging for critical operations (e.g. failure attempt or amending tokenization settings).

Cloud ready

The Entrust tokenization solution is a cloud ready application. Thanks to the microservice architecture, it requires minimal resources to put into operation. And it is easy to scale up the performance by assigning more system resources (e.g. CPU cores). With the help of a load balancer/API gateway, multiple instances of the Entrust tokenization solution can be built as a cluster to serve REST API requests.

Entrust Tokenization Benefits

rocket icon white
Fast Development Time

RESTful API enables integration of multiple programming language environments and reduces development effort.

enlarge icon white
Highly Scalable

Performance can be scaled up simply by assigning system resources and load balancer.

world icon white
Multi-language support

Supports multiple character sets, including alphanumeric, numeric, numeric-Luhn, Chinese, Japanese, Korean, Thai, Vietnamese, and more.


Tokenization Resources

Related Products