November 15, 2021

Encryption, Tokenization, Masking, and Redaction: Choosing the Right Approach


What’s the best way to protect sensitive data?

The answer, of course, is “it depends.” Organizations have too many different types of sensitive information, and too many ways to store and share it, to allow for a one-size-fits-all approach. Each of the common methods of protecting data—encryption, tokenization, masking, and redaction—might be the right solution for a given use case.


Typical uses: Secure data exchange; protecting data at rest; structured and unstructured data

Encryption is the strongest and most commonly-used method for protecting sensitive data. When properly implemented, encryption cannot be defeated by any known technology.

Encryption uses complex algorithms to convert the original data (plaintext) into unreadable blocks of text (ciphertext) that can’t be converted back into readable form without the appropriate decryption key.

Encryption can be implemented in many different ways, each suited to different use cases. Network encryption protects data as it travels, leaving data in the clear on either end of a transmission. Transparent encryption protects data at rest, decrypting the data before it’s accessed by authorized users. Persistent encryption protects data regardless of where it’s stored or copied, providing maximum protection against inappropriate use. Format preserving encryption protects data while maintaining the original formatting and length of the data.


Typical uses: Payment processing systems; structured data

Tokenization, like encryption, is a reversible process that replaces sensitive data with data that can’t be used by unauthorized parties. While encryption uses algorithms to generate ciphertext from plaintext, tokenization replaces the original data with randomly-generated characters in the same format (token values). Relationships between the original values and token values are stored on a token server. When a user or application needs the correct data, the tokenization system looks up the token value and retrieves the original value.

Tokenization is often used to protect credit card numbers or other sensitive information in payment processing systems, customer service databases, and other structured data environments. However, length-and-format-preserving encryption can address the same use cases, often with less complexity.


Typical uses: Test environments; structured data

Masking is essentially permanent tokenization. Sensitive information is replaced by random characters in the same format as the original data, but without a mechanism for retrieving the original values. This is a common practice in test environments, which require realistic-looking data but cannot be populated with actual customer or employee data.

Masking can also be used to control access to sensitive data based on entitlements. This approach, known as dynamic data masking, allows authorized users and applications to retrieve unmasked data from a database, while providing masked data to users who are not authorized to view the sensitive information.


Typical uses: Unstructured data; legacy data

Redaction is the permanent removal of sensitive data—the digital equivalent of “blacking out” text in printed material. Redaction can be accomplished by simply deleting characters from a file or database record, or by replacing characters with asterisks or other placeholders.

Automated data redaction is an effective method of eliminating sensitive data from documents, spreadsheets, and other files, without altering the remaining file contents. Organizations often adopt this approach to prevent the spread of sensitive information that has been extracted from a database and saved on file servers, laptops, or desktops.

Choosing a Solution

For use cases that involve sharing sensitive information between users, teams, or organizations, persistent encryption is the most effective option. No other technology provides adequate protection against misuse, while allowing access by authorized parties. A detailed strategy for encryption key management, including key creation, storage, exchange, and rotation, is essential for maintaining the security of an encryption system. With no endpoint software required, PK Encryption quickly secures files and data without application changes, additional infrastructure, or professional services. And it accomplishes all this without disrupting existing workflows.

For other use cases, the choice between encryption, tokenization, masking, and redaction should be based on your organization’s data profile and compliance goals. In some cases, a combination of technologies may be the best approach. Solutions such as PK Masking can be added to PK Encryption to mask or redact sensitive information, protecting privacy while maximizing data value.

PKWARE can help can help your organization design and implement a data security strategy that automatically protects data at the moment of creation, and keeps it safe no matter where files are copied or shared. Find out how solutions such as PK Encryption and PK Masking, part of the PK Protect suite, can help you meet your data protection and compliance goals. Get a free personalized demo now.

Share on social media
  • Apr'24 Breach Report-01
    PKWARE April 17, 2024
  • Data Retention: Aligning Data Protection Strategies with Compliance Requirements
    Ben Meyers March 13, 2024
  • Data Breach Report: March 2024
    PKWARE March 8, 2024
  • PCI DSS 4.0 Compliance: Safeguarding the Future of Payment Security
    PKWARE February 22, 2024