Database Autonomy Service (DAS) supports column-level encryption for RDS for MySQL, RDS for PostgreSQL, PolarDB for MySQL, and PolarDB for PostgreSQL databases. You can encrypt specific data columns at rest to protect sensitive information, and authorized users can decrypt and access the plaintext data through a dedicated client driver.
Prerequisites
Before you start, ensure the following requirements are met:
-
Instance authorization: On the DAS Instance list page, authorize both sensitive data detection and column encryption for the destination instance.

-
DAS Security Center:
-
You have purchased DAS Security Center.
-
You have a sufficient column encryption quota. If you have not enabled the free trial for column encryption or your quota is insufficient, purchase a new quota.
-
-
Region support: Your instance must be in a region that supports column encryption. See Product series and supported features for details.
-
Sensitive data detection: A detection task must be completed. For more information, see Manage sensitive data detection.
Billing information
-
Free tier: DAS provides a free quota to encrypt 1 column.
-
Paid tier: To encrypt more columns, purchase a Column Encryption Quota. This service is billed on a subscription (monthly or yearly) basis. For details, see Billing details.
-
KMS costs: If you use a KMS key for encryption, separate charges apply for the managed key service from KMS. For details, see Product Billing.
Encryption limitations and support
|
Database type |
Version |
Encryption algorithm |
Encryption method |
Permission |
|
ApsaraDB RDS for MySQL |
The major engine version is MySQL 5.7 or MySQL 8.0, and the minor engine version is 20240731 or later. |
|
|
|
|
ApsaraDB RDS for PostgreSQL |
The major engine version is PostgreSQL 16, and the minor engine version must be 20241230 or later. |
AES-256-GCM. |
local key. |
|
|
PolarDB for MySQL |
The major engine version is MySQL 5.7 or MySQL 8.0, and the database proxy version must be 2.8.36 or later. Important
If you configure column encryption policies for a PolarDB for MySQL cluster, you must use a read/write cluster endpoint. Primary endpoints do not support column encryption policies. Configure database proxy and Manage endpoints. |
AES-128-GCM. |
local key. |
|
|
PolarDB for PostgreSQL |
The major engine version is PostgreSQL 14, and the database version is 2.0.14.15.31.0 or later. |
AES-256-GCM. |
local key. |
|
|
PolarDB for PostgreSQL (Oracle Compatible) |
Only the Oracle syntax-compatible version 2.0 is supported. The major engine version is PostgreSQL 14, and the database version is 2.0.14.15.31.0 or later. |
AES-256-GCM. |
local key. |
|
|
PolarDB-X 2.0 |
The series must be Enterprise Edition. The database version must be polardb-2.5.0_5.4.20-20250714 or later. |
|
|
Configuration steps
Log on to the DAS console.
-
In the navigation pane on the left, click .
-
In the Actions column of the destination instance, find your instance in the list:
-
To create a new policy, click Rapid Encryption.
NoteFor an instance that already has an encryption policy, click Edit in the Actions column to modify the policy.
-
-
In the Encryption Configuration side panel, select the Asset Type, Instance Name, Encryption Algorithm, Encryption Method, and Plaintext Permission Accounts. Then, select the destination Database, Table, and Column to encrypt, and click OK.
-
On the main page, click the
icon to the left of the destination instance to expand the list of databases, tables, and columns. -
In the Actions column of the expanded list, click Disable Encryption or Enable Encryption, and then click OK in the dialog box that appears.
Accessing encrypted data from your application
To decrypt and read plaintext data, use a specific client driver in your application:
-
Java (JDBC): Use the EncJDBC driver to connect to the database.
-
Go: Use the alibabacloud-encdb-mysql-go-client driver.