Data masking and subsetting is a paid Oracle option, not part of Advanced Security and not free with Enterprise Manager. Read the cost and the licensing boundary before you mask a single non production copy.
The Data Masking and Subsetting Pack is a paid Oracle Database option. It runs through Enterprise Manager, it is not part of Advanced Security, and using its features without the license is a common compliance gap.
The pack prepares safe non production data. It has two functions.
Masking irreversibly replaces sensitive values, such as names and account numbers, with realistic but fictitious data. The result is safe for development and testing.
Subsetting creates a smaller, representative copy of a production database, cutting the storage and refresh cost of non production environments. Oracle documents both on the Oracle data masking and subsetting page.
Advanced Security provides encryption and redaction on live data. The Data Masking and Subsetting Pack transforms copies for non production. They are different products with different licenses.
It is a Database option, licensed per processor or Named User Plus, and it depends on Enterprise Manager.
The pack operates through Enterprise Manager Cloud Control. The licensing chapter of the Oracle Database Licensing Information manual sets out the rules.
Where the Data Masking and Subsetting Pack sits among Oracle security options
| Product | What it protects | Reversible | Separate license |
|---|---|---|---|
| Data Masking and Subsetting | Non production copies | No, masking is permanent | Yes, this pack |
| Advanced Security TDE | Live data at rest | Yes, with the key | Yes, different option |
| Data Redaction | Live data on display | Yes | Part of Advanced Security |
| Data Safe | Cloud database security | Varies | OCI service |
You license the databases where the pack is used. The boundary is where teams get caught.
If masking or subsetting is performed against a database, that database needs the pack. The production source that you mask from is generally in scope.
For databases in Oracle Cloud, Oracle Data Safe offers masking features under a different model. Do not assume on premises pack rights extend to the cloud service or the reverse.
The common advice is that masking is a security best practice you should simply turn on, and that owning Advanced Security covers it. We disagree. In roughly 6 out of 10 estates we reviewed, teams masked non production data believing their encryption license covered it, when masking requires a separate pack that was never on the contract. The buyer side move is to confirm the Data Masking and Subsetting Pack is licensed on every database where masking or subsetting runs before you enable the feature, and to keep it clearly separate from Advanced Security in your license records. Good security practice does not grant a license you did not buy.
Source: Redress Compliance advisory engagement file, 2024 to 2025.
Masking makes the data safe. It does not make the license appear. The pack that performs the masking is a separate purchase, and Enterprise Manager records that you used it.
The option lists at 11,500 dollars per processor plus 22 percent support.
Three moves keep masking compliant and affordable.
Identify every database where masking or subsetting is performed today.
Record the pack distinctly, so no one assumes encryption rights cover masking.
Match the pack to the databases that actually run it, and re check each quarter.
White Paper · Oracle
Cut Oracle Spend 30 to 50%: The 5 Year Playbook
The five year buyer side playbook that cuts Oracle spend across Database, Java, Apps, OCI, and support, and the math behind a 30 to 50 percent cut. Read it free.
No. Data masking and subsetting is a separate Oracle Database option. Advanced Security provides encryption and redaction on live data, while the Data Masking and Subsetting Pack transforms copies for non production. They have different licenses.
The 2026 list price is 11,500 dollars per processor plus 22 percent annual support, or 230 dollars per Named User Plus subject to Oracle minimums. You pay per processor on every database where the pack is used.
Yes. The Data Masking and Subsetting Pack operates through Oracle Enterprise Manager Cloud Control. Enterprise Manager records pack usage, which is the evidence an Oracle audit reads back to you.
You license the databases where masking or subsetting is performed. The production source you mask from is generally in scope. The licensing boundary on source and target databases is where teams most often get caught.
Masking irreversibly replaces sensitive values with realistic but fictitious data. Subsetting creates a smaller representative copy of a database. Both prepare safe non production environments and both are covered by the same pack.
No. Advanced Security does not grant masking rights. Masking requires the Data Masking and Subsetting Pack on the databases where it runs. Using masking features without that pack is a common compliance gap.
Not automatically. For databases in Oracle Cloud, Data Safe offers masking under a different model. Do not assume on premises pack rights extend to the cloud service or that cloud rights cover on premises databases.
Oracle reads Enterprise Manager and the database feature usage views. Performing masking or subsetting records the activity, so an audit can identify pack usage even where the pack was never licensed.
Oracle ULA exit moves, Java audit defense posture, certification framework, and the buyer side moves across the Oracle Database, Java, and EBS estate.
Used across more than five hundred enterprise engagements. Independent. Buyer side. Built for procurement leaders running the next renewal cycle.
