SHA256 hashing email addresses for GDPR reasons

This is a followup on the previous post C# Mask email address for GDPR reasons, where user Inspector Cluedget pointed out that masking (replacing characters with *) an email address in the log file is the least safest of the data masking approaches available.

This extension method will SHA256 hash the email address and add a fake domain name (to make the string look like an email address).


using System.Security.Cryptography;
using System.Text;

namespace MyNamespace
  public static class StringFormatter
    public static string MaskEmail(this string s)
      return SHA256(s) + "";

    private static string SHA256(string s)
      SHA256Managed sha256 = new SHA256Managed();
      StringBuilder hash = new StringBuilder();
      byte[] hashArray = sha256.ComputeHash(Encoding.UTF8.GetBytes(s));
      foreach (byte b in hashArray)
      return hash.ToString();


using MyNamespace;
public void TestMethod()
  string email = "";
  string maskedEmail = email.MaskEmail();
  // result:


With the new GDPR rules you must be very careful when storing emails or other personal information anywhere, including your log files. And you should never give out a log file containing email addresses to a third party, even when this third party is “just helping you with a totally unrelated code bug elsewhere”.

There are many approaches to ensure GDPR compliance. The best way is to remove any personal data from any log file. This is not always possible, feasible or practical, which is why pseudonymization or data masking approaches will come in handy.



About briancaos

Developer at Pentia A/S since 2003. Have developed Web Applications using Sitecore Since Sitecore 4.1.
This entry was posted in .net, c#, General .NET and tagged , , , , . Bookmark the permalink.

4 Responses to SHA256 hashing email addresses for GDPR reasons

  1. Pingback: C# Mask email address for GDPR reasons | Brian Pedersen's Sitecore and .NET Blog

  2. Pingback: Using Notepad++ to mask email address for GDPR reasons | Brian Pedersen's Sitecore and .NET Blog

  3. Mike says:

    ok, so how to decrypt it now?

  4. briancaos says:

    The whole point is that the SHA256 encryption cannot be decrypted. The GDPR rules state that you cannot store personal information without the users consent, and this includes storing email addresses in (for example) log files. Furthermore, you cannot give personal information to any 3rd party without the users explicit permission. Again this includes sending a log file to a 3rd party. The SHA256 de-personalizes the email address in a way where the same user will have the same key, but the key cannot be used to identify the user.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.