# PostgreSQL Data Masking — Dynamic Masking Without an Extension > Role-based dynamic data masking for PostgreSQL. No extension, no superuser — one policy across community Postgres, RDS, Aurora, Cloud SQL, and AlloyDB, with approval workflow and audit. Source: https://www.bytebase.com/databases/postgres/data-masking/ --- ## Core Postgres has no dynamic data masking. Bytebase adds it — role-based masking in front of any Postgres. No extension. No superuser. The data at rest never changes; the result set does. Every do-it-yourself route carries a cost: ### Column privileges GRANT is all-or-nothing. The full column or none of it — no “last four characters.” ### Views + pgcrypto Masking views multiply with every role. Every schema change ripples through the set. ### PostgreSQL Anonymizer A capable extension — where you can install it. Managed Postgres doesn't guarantee that, and labels must be maintained per cluster. ### Row-level security RLS hides rows; it doesn't transform values. Seeing the row but not the SSN needs masking. ## A policy layer in front of Postgres. Not inside it. Masking runs in the result path, outside the database. Queries route through the SQL Editor; values transform on the way out based on who is asking. Nothing installs inside Postgres, so one policy covers every distribution. Masking propagates — mask a column and every dependent view inherits the policy. ### Global Masking Rule Workspace rules, first match wins. Conditions on environment, project, database, and classification pick the algorithm — full, partial, MD5, range, custom. ### Column Masking Project-level override for a single column. ### Masking Exemption Time-bound Query or Export exemptions for named users. Every grant logged. Every access logged. ## Same query. Different result by role. Partial masking on customers.email and customers.ssn — the table untouched: ``` -- Run in Bytebase SQL Editor as an analyst SELECT id, email, ssn FROM customers LIMIT 2; id | email | ssn ----+---------------------+------------- 1 | a******@example.com | ***-**-4801 2 | m******@example.com | ***-**-2210 ``` An exempted investigator runs the same query and sees cleartext. Both reads land in the audit log with per-column masking metadata. ## What this masks — and what it doesn't. Bytebase masks the through-Bytebase path: SQL Editor queries and approved exports. Your application's direct connection bypasses it, by design — the gateway governs human access. Pair it with just-in-time access so humans hold no standing credentials. To mask every connection on one cluster, use an in-database extension — the two compose. ## Common questions. ### Does PostgreSQL have built-in dynamic data masking? No. Core Postgres has column privileges and row-level security, but no native masking — unlike SQL Server or Oracle. It comes from an extension like PostgreSQL Anonymizer, or a policy layer in front of the database like Bytebase. ### Does masking change the data stored in Postgres? No. Values transform in the query result, at read time. Data at rest is untouched. Destroying data for lower environments is static masking — a different tool. ### Which PostgreSQL flavors are supported? Any Postgres Bytebase can connect to — community, RDS, Aurora, Cloud SQL, AlloyDB, managed forks. Masking runs outside the database, so there's no extension or superuser requirement. ### Does it mask my application's database connection? No. Bytebase masks the through-Bytebase path — SQL Editor queries and approved exports. Direct application connections are untouched; that path keeps its own credentials and controls. ### How does this compare to PostgreSQL Anonymizer? Anonymizer enforces inside one cluster, on every read path — where it installs. Bytebase enforces across the fleet with approval and audit, on the through-Bytebase path. They compose: Anonymizer for dumps and clones, Bytebase for human query traffic. ## Get Started - [Contact us](https://www.bytebase.com/contact-us/) - [Start now (cloud)](https://console.bytebase.com)