Format-Preserving Encryption (FPE)

 

Next Steps
Home » Solutions » Data Masking » Static Data Masking » Encrypt » FPE

Quick Links

+
Overview Algorithms Format Preserving Encryption Hashing Key Management

Challenges


The purpose of most encryption tools and techniques is to mask data and allow it to be decrypted. Unfortunately, their processes result in ciphertext that is not human readable and is often longer than the original field value.

The challenge is to retain the original format of the data in its protected state, so that it appears real, preserves referential integrity checks, and can be used for testing.

Data protection needs to take into account both internal and external threats, including those against critical database and application resources. However, many protection mechanisms require application retooling or add complexity that delays or halts deployment. Format-preserving encryption overcomes these issues. It's an exciting step toward improved, simpler data protection and compliance with regulatory requirements.

-Trent Henry, Burton Group

Solutions


IRI's data masking softawre products encrypt personally identifiable information (PII) in databases and files with advanced (AES-128 and AES-256) Format-Preserving Encryption (FPE) technology. Harden your data one column (or field) at a time without altering the format or appearance of the original values.

With IRI FieldShield (for databases and flat files), IRI CellShield (for Excel), IRI DarkShield (for unstructured files), or IRI Voracity (for DBs, files, HDFS, etc.), you can apply ad hoc or global FPE functions on a rule-basis to:

  • Keep and preserve original data formats
  • Maintain referential integrity
  • Eliminate the need for multiple masking and lookup tables
  • Eliminate format changes, database, or application schema
  • Encrypt primary and foreign keys
  • Provide reversible data masking

For example, encrypt a 16-digit credit card number and display another 16-digit number in the same format:

Before

After

 
1. What is format-preserving encryption (FPE)?
Format-preserving encryption (FPE) is a method of encrypting sensitive data while maintaining its original format, such as keeping a 16-digit credit card number as a 16-digit string. This allows encrypted data to remain compatible with existing database schemas and applications.
2. How does FPE differ from standard encryption?
Unlike traditional encryption methods that produce unreadable and differently sized ciphertext, FPE ensures the encrypted output matches the format of the original input. This avoids issues with storage limits, validation rules, or application schema changes.
3. What are the use cases for format-preserving encryption?
FPE is ideal for protecting personally identifiable information (PII) in environments where format, length, or schema constraints must be maintained. Common examples include credit card numbers, social security numbers, phone numbers, and primary keys.
4. How does FPE help with referential integrity?
By preserving formats and values across related fields, FPE enables encrypted data to maintain referential integrity between primary and foreign keys. This ensures that masked datasets can still be joined or queried meaningfully.
5. Can I apply FPE in both structured and unstructured data?
Yes. IRI supports FPE across structured (e.g., relational databases, flat files), semi-structured (e.g., JSON, XML), and unstructured data (e.g., documents and reports) through FieldShield, CellShield, DarkShield, and Voracity.
6. What algorithms are used for FPE in IRI products?
IRI uses NIST-approved AES-128 and AES-256 algorithms for format-preserving encryption, ensuring high levels of security while meeting regulatory and compliance standards.
7. Can I use FPE for masking credit card numbers?
Absolutely. FPE is commonly used for masking PANs (Primary Account Numbers) because it preserves the 16-digit numeric structure, making the masked data appear valid for testing while remaining secure.
8. Does FPE support reversible encryption?
Yes. FPE is a reversible data masking technique, meaning authorized users can decrypt the values using the correct key and library. This is useful for controlled access and secure data recovery.
9. Will I need to change my database schema to use FPE?
No. One of the main advantages of FPE is that it avoids the need to alter your database or application schema. Encrypted values retain the same length and format as the original data.
10. How is FPE implemented in IRI software?
IRI provides FPE functions that can be applied on a rule-based or ad hoc basis within its Workbench IDE. Users can configure encryption at the column or field level, maintaining consistency and auditability across data sources.
Share this page

Request More Information

Live Chat

* indicates a required field.
IRI does NOT share your information.

Follow us on

Solutions
Products
Customers
Services
Company
Support
News
Partners

Copyright © 2025 Innovative Routines International (IRI), Inc.

Live Chat More Info Newsletter
Live Demo Free Trial Get Quote

Get the IRI Newsletter

See Previous Newsletters