Pattern 4: Encrypting Temporal Data
The final core pattern is handling sensitive dates, such as a date of birth. This is critical for regulations like HIPAA. The pattern is the same: encrypt the precise value but extract and preserve a less-sensitive derivative for analytics.
The Pattern
For a sensitive date field:
- Encrypt the full
date_of_birth. - Calculate and Preserve a useful but less precise value, such as the
age_range. - Delete the original plaintext date.
Implementation
You will add this final piece of logic to your existing mapping processor.
-
Start with your Pipeline: Open the
encrypt-pii.yamlfile from Step 2. (Note: for simplicity, we are skipping the address step for this example). -
Add the Date Encryption Logic: Add the logic for the
date_of_birthfield to the bottom of the existingmappingprocessor.Add this to your 'mapping' processor# --- Logic from previous steps ---
# (The existing logic for card numbers, ssn, and email remains here)
# --- START: New additions for Date Data ---
if this.customer.date_of_birth.exists() {
# 1. ENCRYPT the full date of birth
root.customer.date_of_birth_encrypted = this.customer.date_of_birth.encrypt_aes("gcm", env("TEMPORAL_ENCRYPTION_KEY"))
# 2. PRESERVE an analytics-safe age range
let birth_year = this.customer.date_of_birth.parse_timestamp("2006-01-02").ts_year()
let age = now().ts_year() - birth_year
root.customer.age_range = if age < 18 { "under_18" }
else if age < 35 { "18-34" }
else if age < 55 { "35-54" }
else { "55+" }
# 3. DELETE the original field
root.customer = this.customer.without("date_of_birth")
}Note: This step uses a separate
TEMPORAL_ENCRYPTION_KEY. Ensure you have set it as an environment variable.
Verification
When you run your data through the updated pipeline, the customer object will now be fully protected. The sensitive date_of_birth is encrypted, but a useful age_range has been preserved for demographic analysis.
You have now learned the four core patterns for encrypting different types of sensitive data while preserving business value.