Skip to content

What Are Mask Formats?

Mask Formats define how Shield should redact or obfuscate sensitive data. They control exactly what part of the data is hidden and how it's transformed during masking.

For example:

  • A U.S. Social Security Number might be masked to show only the last four digits.
  • An email address might have its username hidden but keep the domain visible.

Creating a New Mask Format

To create a new mask format:

  1. Click Add New Mask Format in the upper-right corner of the Mask Formats page.
  2. A panel will slide in from the right.
  3. Fill in the configuration fields described below.
  4. Click Save to apply.

Mask Format Configuration Fields

ID and Name

  • ID: An identifier. Must be unique.
  • Name: A readable label for use in the console.

Mask Character

The character used to replace masked portions of the string.

  • Example:
    Input: example
    Mask Character: *
    Output: *******

Stop Character

Masking will stop at this character.

  • Example:
    Input: example@domain.com
    Stop Character: @
    Output: *******@domain.com

Characters to Ignore

A set of characters that should be preserved in their original form.

  • Example:
    Input: john.doe@domain.com
    Ignore: @.
    Output: ****.***@*****.***

Number of Characters

Specifies how many characters to mask or keep depending on the selected behavior.

To Mask

Masks the specified number of characters starting from the beginning of the string.

  • Example:
    Input: john.doe
    Mask 2 characters → Output: **hn.doe

To Keep

Keeps the specified number of characters at the beginning, masking the rest.

  • Example:
    Input: john.doe
    Keep 2 characters → Output: jo******

Reverse Masking Order

Applies the masking or keeping from the end of the string rather than the beginning.

To Mask (Reversed)

  • Example:
    Input: john.doe
    Mask last 2 characters → Output: john.d**

To Keep (Reversed)

  • Example:
    Input: john.doe
    Keep last 2 characters → Output: ******oe
Advanced Settings

🛡️ MaskFormat – Advanced Settings Guide

The Advanced Settings for a MaskFormat define how values should be captured and masked using regular expressions. This gives you full control over how sensitive portions of a string are obfuscated.

🔧 Fields

1. Mask Capture Regex

A regular expression used to capture parts of the value you want to mask. You can define one or more capture groups depending on which parts of the data should be preserved or replaced.

2. Mask Replace Pattern

A replacement pattern string, using:

  • $1, $2, etc. – to reuse captured groups
  • !1, !2, etc. – to insert obfuscated versions of the captured values

3. Use Nullafi Capture Obfuscation Placeholder

Checkbox

When enabled, the replacement pattern can use !# style placeholders:

  • !1 replaces capture group 1 with a masked version (same length, replaced with *)
  • !2 replaces capture group 2, and so on

This gives you flexibility to selectively preserve or mask parts of the value.

✨ Examples

📱 Example 1 – Mask middle of a US phone number

Goal: Show +1, hide the next digits, show the last 2 digits.

Input

+14155552671

Mask Capture Regex

(\+1)(\d{7})(\d{2})

Mask Replace Pattern

$1!2$3

Output

+1*******71

Explanation:

  • $1 = country code (+1)
  • !2 = obfuscated middle (*******)
  • $3 = last two digits (71)

📧 Example 2 – Mask middle of email, keep first 2 characters and domain

Input

johndoe@example.com

Mask Capture Regex

(^..)(.*)(@.*)

Mask Replace Pattern

$1!2$3

Output

jo******@example.com

Explanation:

  • $1 = first 2 letters (jo)
  • !2 = obfuscated middle (******)
  • $3 = domain (@example.com)

📌 Summary

Field Type Description
Mask Capture Regex string (regex) Defines what to capture in the input string
Mask Replace Pattern string How to reconstruct the masked string using $n and !n placeholders
Use Nullafi Placeholder checkbox Enables use of !1, !2 to obfuscate specific captured values

Use this feature to precisely control which parts of sensitive strings are shown or hidden.