Column encryption

更新时间:
复制 MD 格式

Database Autonomy Service (DAS) supports column-level encryption for RDS for MySQL, RDS for PostgreSQL, PolarDB for MySQL, and PolarDB for PostgreSQL databases. You can encrypt specific data columns at rest to protect sensitive information, and authorized users can decrypt and access the plaintext data through a dedicated client driver.

Prerequisites

Before you start, ensure the following requirements are met:

  • Instance authorization: On the DAS Instance list page, authorize both sensitive data detection and column encryption for the destination instance.

    image

  • DAS Security Center:

    • You have purchased DAS Security Center.

    • You have a sufficient column encryption quota. If you have not enabled the free trial for column encryption or your quota is insufficient, purchase a new quota.

  • Region support: Your instance must be in a region that supports column encryption. See Product series and supported features for details.

  • Sensitive data detection: A detection task must be completed. For more information, see Manage sensitive data detection.

Billing information

  • Free tier: DAS provides a free quota to encrypt 1 column.

  • Paid tier: To encrypt more columns, purchase a Column Encryption Quota. This service is billed on a subscription (monthly or yearly) basis. For details, see Billing details.

  • KMS costs: If you use a KMS key for encryption, separate charges apply for the managed key service from KMS. For details, see Product Billing.

Encryption limitations and support

Database type

Version

Encryption algorithm

Encryption method

Permission

ApsaraDB RDS for MySQL

The major engine version is MySQL 5.7 or MySQL 8.0, and the minor engine version is 20240731 or later.

  • AES-128-GCM.

  • AES-256-GCM: Supported only if the minor engine version is 20241231 or later.

  • SM4-128-GCM: Supported only if the minor engine version is 20241231 or later.

  • local key.

  • KMS key: Supported only if the minor engine version is 20241231 or later and the storage type is cloud disk.

  • Ciphertext permission (no decryption permission): Supported only when a local key is used. This is the default permission.

  • Ciphertext permission (JDBC decryption): This is the default permission when a KMS key is used.

  • Plaintext permission.

ApsaraDB RDS for PostgreSQL

The major engine version is PostgreSQL 16, and the minor engine version must be 20241230 or later.

AES-256-GCM.

local key.

  • Ciphertext permission (JDBC decryption) (Default).

  • Plaintext permission.

PolarDB for MySQL

The major engine version is MySQL 5.7 or MySQL 8.0, and the database proxy version must be 2.8.36 or later.

Important

If you configure column encryption policies for a PolarDB for MySQL cluster, you must use a read/write cluster endpoint. Primary endpoints do not support column encryption policies. Configure database proxy and Manage endpoints.

AES-128-GCM.

local key.

PolarDB for PostgreSQL

The major engine version is PostgreSQL 14, and the database version is 2.0.14.15.31.0 or later.

AES-256-GCM.

local key.

PolarDB for PostgreSQL (Oracle Compatible)

Only the Oracle syntax-compatible version 2.0 is supported. The major engine version is PostgreSQL 14, and the database version is 2.0.14.15.31.0 or later.

AES-256-GCM.

local key.

PolarDB-X 2.0

The series must be Enterprise Edition. The database version must be polardb-2.5.0_5.4.20-20250714 or later.

  • AES-128-GCM.

  • AES-256-GCM: Supported only if the database version is polardb-2.5.0_5.4.21-20260414 or later.

  • SM4-128-GCM.

  • local key.

  • KMS key: Supported only if the database version is polardb-2.5.0_5.4.21-20260414 or later.

Configuration steps

  1. Log on to the DAS console.

  2. In the navigation pane on the left, click Security Center > Column Encryption.

  3. In the Actions column of the destination instance, find your instance in the list:

    1. To create a new policy, click Rapid Encryption.

      Note

      For an instance that already has an encryption policy, click Edit in the Actions column to modify the policy.

  4. In the Encryption Configuration side panel, select the Asset Type, Instance Name, Encryption Algorithm, Encryption Method, and Plaintext Permission Accounts. Then, select the destination Database, Table, and Column to encrypt, and click OK.

  5. On the main Column Encryption page, click the image icon to the left of the destination instance to expand the list of databases, tables, and columns.

  6. In the Actions column of the expanded list, click Disable Encryption or Enable Encryption, and then click OK in the dialog box that appears.

Accessing encrypted data from your application

To decrypt and read plaintext data, use a specific client driver in your application:

  • Java (JDBC): Use the EncJDBC driver to connect to the database.

  • Go: Use the alibabacloud-encdb-mysql-go-client driver.