DocsICP FilingConsole
官方文档
首页

Database column encryption

更新时间:
复制 MD 格式
产品详情
我的收藏

Data Security Center (DSC) lets you configure column encryption for various database types, such as RDS for MySQL, RDS for PostgreSQL, PolarDB for MySQL, PolarDB for PostgreSQL, PolarDB for PostgreSQL (Compatible with Oracle), and PolarDB-X 2.0. This ensures that only authorized users can decrypt and access data in sensitive columns through an always-confidential client, preventing the plaintext from being exposed to unauthorized parties.

Important

  • The column encryption feature is available only to users of Data Security Center Free Edition, Advanced Edition, Enterprise Edition, 7-day trial version, and the Value-added Services Only Edition. If column encryption is not enabled or your column encryption quota is insufficient, upgrade your edition.

  • When a client queries an encrypted column using SQL, the query ignores the column's original data type and always returns data in string format. Configure column encryption with caution.

Procedure

After you activate a DSC instance, when you first use column encryption on the console, you must complete the following steps in order: authorize DSC to access cloud resources, perform database asset synchronization, run a sensitive data discovery job, and enable column encryption.

Step 1: Authorize DSC to access resources

After authorization, the DSC instance can access resources in cloud services such as Object Storage Service (OSS), ApsaraDB RDS, and MaxCompute.

  1. Log on to the Data Security Center console.

  2. In the RAM-based Authorization dialog box, click Authorize.

Step 2: Synchronize database assets

You must first synchronize your assets before using DSC to detect sensitive data or audit database activities in cloud products such as ApsaraDB RDS and PolarDB.

  1. In the left-side navigation pane, choose Asset Center.

  2. On the Asset Center page, click Asset synchronization.

    Note

    After you purchase a DSC instance, DSC automatically synchronizes your cloud asset list the first time you log on to the console, so no manual action is required. DSC automatically scans and synchronizes the asset list at 00:00 every day.

Step 3: Enable data classification and grading

To use column encryption, you must first authorize a database connection and complete a data discovery job. DSC supports Connect and Account Logon.

Note

You can select a connection method based on your data security requirements and the methods supported by your database, as listed in the table below.

  • Use a one-click connection if your database supports it and you do not need to use the database as a destination for data masking tasks.

  • If you need to use the database as a destination for data masking tasks, you must use a credential-based connection with an account that has read and write permissions.

Connection types and supported assets

Connection type

Description

Supported data asset types

One-click connection

Connect to the database with a single click in the console.

During the connection process, DSC automatically creates a read-only account in the target data asset. The account name starts with sddp_auto. DSC uses this account to connect to the target database for data detection tasks. Because this account has only read-only permissions, a database authorized using the one-click connection method cannot be the destination database for data masking tasks.

  • RDS:

    • MySQL

    • SQL Server (not supported for read-only instances)

    • MariaDB (not supported for read-only instances)

  • PolarDB:

    • MySQL

  • PolarDB-X 1.0 (DRDS)

  • PolarDB-X 2.0 (not supported for read-only instances)

  • OSS

  • TableStore

  • MaxCompute

  • SLS

Credential-based connection

Connect to the database by manually entering the database account and password.

  • If you connect to the database using a read-only account, you can perform sensitive data detection, data masking, and audit tasks on the database. However, the database cannot be the destination database for data masking tasks.

  • If you connect to the database using an account that has read and write permissions, the database can be the destination database for data masking tasks to store masked data.

  • Structured data:

    RDS, PolarDB, PolarDB-X (formerly DRDS), PolarDB-X 2.0, MongoDB, OceanBase, and self-managed databases

  • Big data:

    AnalyticDB for MySQL and AnalyticDB for PostgreSQL (also known as AnalyticDB for PG)

  1. In the left-side navigation pane, choose Asset Center.

  2. In the Structured Data section, click the data type for which you want to configure column encryption.

  3. Click the image icon in the Data Classification column of the target asset instance.

    Note

    Make sure that the instance has a database and its Instance Status is Running. If no database is created, you cannot enable data classification and grading or create the corresponding discovery job.

  4. In the Enable Classification and Grading dialog box, configure the parameters as described in the following table.

    Parameter

    Description

    Activation Method

    Configure the account information that is used to connect to the database for data detection. Two methods are supported:

    • Automatically create database accounts : DSC automatically creates a read-only account that starts with the sddp_auto prefix in the target data asset. DSC uses this account to connect to the target database and perform data detection tasks.

      Note

      This method is available only for data types that support one-click enablement.

    • Manually enter username and password: Enter the account and password that you use to connect to the database.

    Authorization Scope

    The authorization scope for data detection.

    • Entire data source.

    • Manage authorization scope in the data source list: Select the desired authorization scope.

    Automatically create and start a default scan task

    If you select this option, DSC automatically creates a default scan task after the database is successfully connected.

    On the Classification and Grading > Tasks > Identification Tasks tab, you can click Default Tasks to view the execution status of the scan task. For more information, see Scan for sensitive data using a detection task.

    Automatically connect to new databases.

    If you select this option, DSC automatically connects to new databases that are detected in your database instance after a manual or automatic asset sync.

  5. After completing the configuration, click OK.

Step 4: View database details

After the sensitive data discovery job is complete, view the information about the database instance that is connected to DSC, including the total number of columns, column encryption status, and database account information.

  1. In the left-side navigation pane, choose Risk Governance > Column Encryption.

  2. On the Column Encryption page, view the following information. You can use the search component above the database list to search for and view information about a target database instance by asset type, encryption status (such as encrypted columns, unencrypted columns, or encryption failed), or sensitivity level.

    Sensitivity level descriptions

    Sensitivity level

    Description

    N/A

    No sensitive information defined in the current identification template was detected.

    S1

    Non-sensitive data. Disclosing this type of data is unlikely to cause harm in most situations. Examples: provinces, cities, and product names.

    S2

    Generally sensitive data. This type of data is not suitable for public disclosure, and a data breach would have a low impact. Examples: names and addresses.

    S3

    Critically sensitive data. This data is highly sensitive, and even a minor leak could cause serious harm. Examples: ID documents, account passwords, and database information.

    S4

    Core confidential data. This data should never be disclosed under any circumstances. Examples: genetic data, fingerprints, and iris scans.

    Item

    Description

    Columns

    Indicates the total number of columns in the tables of a database instance that is successfully connected to DSC.

    Sensitive Data (S3 and Higher)

    Columns whose sensitivity level is S3 or higher based on data discovery results. This includes information such as sensitive columns, encrypted columns, unencrypted columns, and columns that failed to be encrypted.

    Accounts

    • Total Accounts: Each database-account pair is counted as one. For example, if Account C exists in both Database A and Database B, it is counted as two database accounts.

    • Accounts For Which No Encryption Configured: If encryption is not enabled for any column in the database, the account permission is Accounts For Which No Encryption Configured.

    • Number of accounts with Plaintext Permissions or Ciphertext Permission: When you enable column encryption for a database, you can set permissions for database accounts to access encrypted column data.

    You can click any number in the statistics or click Permission Settings. In the Permission Settings panel, search for and view all account information for the target database instance to confirm the access permissions for different database accounts.

    List information

    Displays information such as Instance name, Asset Type, Region, Encryption Algorithm, Plaintext Permission Accounts, and Encryption Check for the DSC instance.

    • You can configure column encryption only for instances that have Passed the encryption check.

    • If the Encryption Check is "Failed" due to an incompatible database version, click Upgrade in the Encryption Check column. This redirects you to the corresponding upgrade page in the ApsaraDB RDS or PolarDB console to upgrade the database version. For more information, see FAQ about check failures.

    After you upgrade the version or the status updates, you must perform Asset synchronization on the DSC console to fetch the latest database information.

    1. In the left-side navigation pane, choose Asset Center. On the Authorization Management tab, click Asset Authorization Management.

    2. In the Asset Authorization Management panel, click the target instance type (RDS or PolarDB) in the product name navigation pane on the left, and then click Asset synchronization.

Step 5: Configure column encryption

After you confirm the information of the target database instance and the Encryption Check result is Passed, complete the column encryption configuration.

Enable one-click encryption

Before you enable one-click encryption for a database, its encryption algorithm and method are not configured. In this state, you cannot enable encryption for individual columns of the database.

  1. DSC supports three methods to enable column encryption.

    • Click Rapid Encryption above the database instance list to configure column encryption for all unencrypted columns.

    • Click Rapid Encryption in the Actions column of the target database instance to configure column encryption for that instance.

    • On the Asset Center page, click the image icon in the Column Encryption column of the target database instance.

  2. In the Encryption Configuration panel, select the Asset Type, Instance name, Encryption Algorithm, Encryption Method, and Plaintext Permission Accounts. Then, select the target Databases, Table, and Column to encrypt, and click OK.

    Note the following parameter configurations:

    • Encryption Method

      If you set the Encryption Method to KMS Key, you must first create a symmetric key in Key Management Service (KMS).

      Important

      After configuring column encryption, if you modify the encryption method, DSC restarts the encryption task. During the restart, data in the originally encrypted columns is stored in plaintext, which poses a security risk of data exposure. To avoid this security risk, we recommend that you select a fixed encryption method and do not change it.

    • Plaintext Permission Accounts

      After you complete the encryption configuration, DSC grants all accounts for the database ciphertext permission by default.

      • For PolarDB for MySQL, PolarDB for PostgreSQL, PolarDB for PostgreSQL (Oracle Compatible), ApsaraDB RDS for PostgreSQL, and PolarDB-X 2.0 databases, accounts are granted Ciphertext Permission (JDBC Decryption) by default. These accounts can access ciphertext data by default and can access plaintext data after decryption through a client for client-side decryption.

      • For ApsaraDB RDS for MySQL databases where the Encryption Method is set to KMS Key, accounts are granted Ciphertext Permission (JDBC Decryption) by default.

      • For ApsaraDB RDS for MySQL databases where the Encryption Method is set to Local Key, accounts are granted Ciphertext Permission (No Decryption Permission) by default and can only access ciphertext data.

      You can select accounts to be added to an allowlist. These accounts will have plaintext permission to directly access the plaintext data in encrypted columns.

      Important

      When you authorize a database to connect to DSC, if you use a one-click connection, a database account whose name starts with sddp_auto is automatically created. If you use a credential-based connection, a database account is set in the credentials. This database account allows DSC to read database data for sensitive data classification and grading scans. Therefore, if you need to continue scanning the latest data in the database for sensitive data classification and grading, you must set this database account to have plaintext permission.

Other operations

Modify database account permissions

Except for accounts with Plaintext Permissions, all other accounts for the database instance have ciphertext permission. You can modify account permissions to Plaintext Permissions, Ciphertext Permission (No Decryption Permission), or Ciphertext Permission (JDBC Decryption) based on your business needs.

  1. On the Risk Governance > Column Encryption page, click Permission Settings in the Accounts section.

    Alternatively, in the Actions column of the instance list, click Edit. In the Edit panel, click Configure on Account Permissions.

  2. In the Permission Settings panel, search for the target instance and account to view the current account permissions.

    Note

    If a newly added database account is not displayed in the list, perform an Asset synchronization and then check again.

  3. Click Modify Permissions in the Actions column of the target account.

    You can also select multiple target accounts with the same permission and click Batch Modify Permissions below the list.

  4. In the Modify Permissions dialog box, select the target permission and click OK.

Modify column encryption configurations

After completing the encryption configuration:

  • In the instance list, expand the target instance. In the database list, find the target Databases, Table, and Column name, and click Enable Encryption or Disable Encryption to configure encryption for a single column.

  • In the Actions column of the instance list, click Edit. In the Edit panel, modify the encryption algorithm, encryption method, and the scope of encrypted columns.

    • Click Modify on Encryption Algorithm or Encryption Method to update the encryption algorithm or method.

      Important

      Modifying the encryption method restarts the encryption task. During the restart, data in the originally encrypted columns is stored in plaintext, which poses a security risk of data exposure. Proceed with caution.

    • In the database list for configuring encrypted columns, find the target Databases, Table, and Column name, and click Enable Encryption or Disable Encryption to update the scope of encrypted columns.

MySQL column encryption example

After configuring column encryption and account permissions, you can verify data access in encrypted columns. If an account with ciphertext permission retrieves ciphertext when accessing an encrypted column, this indicates that the configuration is effective.

Note

ApsaraDB RDS for PostgreSQL database accounts support only plaintext permission and ciphertext permission (JDBC decryption). The method for verifying column encryption data is the same as for ApsaraDB RDS for MySQL. The following section uses ApsaraDB RDS for MySQL as an example to show how to verify access to encrypted column data in an ApsaraDB RDS database.

ApsaraDB RDS for MySQL

Prerequisites

You have connected an ApsaraDB RDS for MySQL 8.0 instance to DSC and completed sensitive data classification and grading.

The scan results show that the users table in the sddp_em_db database contains three columns: the phone column has a sensitivity level of S3 (Personal Information - Mobile Phone Number), while the username and id columns have a sensitivity level of N/A. All columns are currently unencrypted, and the encryption check has Passed.

Configure column encryption

Follow the steps in Enable one-click encryption to configure column encryption for this database instance:

  1. Enable encryption for the phone column in the users table.

  2. Set the following access permissions for the bound database accounts.

    Set plaintext permission for account sddp_em01, ciphertext permission (JDBC decryption) for account sddp_em03, and ciphertext permission (no decryption) for account sddp_em02.

Access encrypted data

  1. Log on to the database using an account with Plaintext Permissions. For more information, see Log on to an ApsaraDB RDS database by using DMS.

  2. Execute a SELECT statement to view the data table. The encrypted column returns plaintext data.

  3. Switch to the account with Ciphertext Permission (No Decryption Permission) and log on to the database. Execute a SELECT statement to view the data table. The encrypted column returns ciphertext data.

  4. Switch to the account with Ciphertext Permission (JDBC Decryption) and log on to the database. Execute a SELECT statement to view the data table. The encrypted column returns ciphertext data.

PolarDB for MySQL

Prerequisites

A PolarDB for MySQL 5.7 cluster has been connected to DSC for sensitive data classification and grading. The scan results are as follows.

The scan results show that in the user3 table of the sddp_test database, the password column has a sensitivity level of S4 (Personal Sensitive Information - Password), the age column has a sensitivity level of S2 (Personal Information - Age), and the remaining columns have a sensitivity level of N/A. All columns are currently unencrypted, and the encryption check has Passed.

Configure column encryption

Follow the steps in Enable one-click encryption to configure column encryption for this database instance:

  1. Enable encryption for the password column in the user3 table.

  2. Set the following access permissions for the bound database accounts.

    Set plaintext permission for account sddp_polardb and ciphertext permission (JDBC decryption) for account sddp_03.

Access encrypted data

Because DMS connects to the PolarDB for MySQL cluster through the primary endpoint, the column encryption policy does not take effect. Therefore, this example uses the command line to connect to the PolarDB for MySQL cluster via the database proxy endpoint to verify the column encryption results.

  1. Install a version of MySQL on your server that is compatible with your operating system.

  2. Connect to the database cluster by running the following command:

    mysql -h<endpoint> -P<port> -u<username> -p<password>

    • Endpoint and port: Use the cluster endpoint and ensure that your server can access this endpoint. For detailed information on how to configure and view connection endpoints, see Configure a database proxy and Manage endpoints.

    • Username and password: This example uses the username and password for the database accounts with plaintext permission and ciphertext permission (JDBC decryption), respectively.

    Example connection commands:

    • Using an account with plaintext permission: mysql -hpc-bp1fd7********v6f.rwlb.rds.aliyuncs.com -P3306 -usddp_polardb -pH********4.

    • Using an account with ciphertext permission (JDBC decryption): mysql -hpc-bp1fd7********v6f.rwlb.rds.aliyuncs.com -P3306 -usddp_03 -pP********3.

  3. Run the following commands to view the data table.

    1. Run the command use <database_name>; to enter the target database. In this example, the sddp_test database is selected.

      use sddp_test;

    2. Execute a SELECT statement to view the data table.

      SELECT * FROM user3 LIMIT 0, 3;

    Example results:

    • For the account with plaintext permission, the encrypted column returns plaintext data.

      mysql> use sddp_test;
Database changed
mysql> SELECT * FROM user3 LIMIT 0, 3;
+-----+------+----------+------+
| age | name | password | name |
+-----+------+----------+------+
| xxx | xxx  | xxx      | xxx  |
| xxx | xxx  | xxx      | xxx  |
| xxx | xxx  | xxx      | xxx  |
+-----+------+----------+------+
3 rows in set (0.01 sec)

    • For the account with ciphertext permission (JDBC decryption), the encrypted column returns ciphertext data.

      mysql> use sddp_test;
Database changed
mysql> SELECT * FROM user3 LIMIT 0, 3;
+-----+------+----------------------------------------------+------+
| age | name | password                                     | name |
+-----+------+----------------------------------------------+------+
| xxx | xxx  | /0D9Pxxx...                                  | xxx  |
| xxx | xxx  | Q0D9Pxxx...                                  | xxx  |
| xxx | xxx  | 7kD9Pxxx...                                  | xxx  |
+-----+------+----------------------------------------------+------+
3 rows in set (0.01 sec)

Client-side decryption

To access plaintext in an encrypted column, you can use an account with Ciphertext Permission (JDBC Decryption) and decrypt the data using a client for client-side decryption in Java or Go.

Language

Database type

Documentation

Java

  • ApsaraDB RDS for MySQL

  • ApsaraDB RDS for PostgreSQL

  • PolarDB for MySQL

  • PolarDB for PostgreSQL

  • PolarDB for PostgreSQL (Oracle Compatible)

  • PolarDB-X 2.0

Integrate EncJDBC (Supports decryption with a local key and a KMS key)

Go

  • ApsaraDB RDS for MySQL

  • PolarDB for MySQL

  • PolarDB-X 2.0

Integrate GoLang driver (Supports decryption with a local key only)

FAQ about check failures

Quotas and limitations

  • Region limitations: Ensure your instance's region supports the column encryption feature. For more information, see Supported regions.

  • Database limitations:

    Database type

    Version

    Encryption algorithm

    Encryption method

    Permission

    ApsaraDB RDS for MySQL

    The major engine version is MySQL 5.7 or MySQL 8.0, and the minor engine version is 20240731 or later.

    • AES-128-GCM.

    • AES-256-GCM: Supported only if the minor engine version is 20241231 or later.

    • SM4-128-GCM: Supported only if the minor engine version is 20241231 or later.

    • local key.

    • KMS key: Supported only if the minor engine version is 20241231 or later and the storage type is cloud disk.

    • Ciphertext permission (no decryption permission): Supported only when a local key is used. This is the default permission.

    • Ciphertext permission (JDBC decryption): This is the default permission when a KMS key is used.

    • Plaintext permission.

    ApsaraDB RDS for PostgreSQL

    The major engine version is PostgreSQL 16, and the minor engine version must be 20241230 or later.

    AES-256-GCM.

    local key.

    • Ciphertext permission (JDBC decryption) (Default).

    • Plaintext permission.

    PolarDB for MySQL

    The major engine version is MySQL 5.7 or MySQL 8.0, and the database proxy version must be 2.8.36 or later.

    Important

    If you configure column encryption policies for a PolarDB for MySQL cluster, you must use a read/write cluster endpoint. Primary endpoints do not support column encryption policies. Configure database proxy and Manage endpoints.

    AES-128-GCM.

    local key.

    PolarDB for PostgreSQL

    The major engine version is PostgreSQL 14, and the database version is 2.0.14.15.31.0 or later.

    AES-256-GCM.

    local key.

    PolarDB for PostgreSQL (Oracle Compatible)

    Only the Oracle syntax-compatible version 2.0 is supported. The major engine version is PostgreSQL 14, and the database version is 2.0.14.15.31.0 or later.

    AES-256-GCM.

    local key.

    PolarDB-X 2.0

    The series must be Enterprise Edition. The database version must be polardb-2.5.0_5.4.20-20250714 or later.

    • AES-128-GCM.

    • AES-256-GCM: Supported only if the database version is polardb-2.5.0_5.4.21-20260414 or later.

    • SM4-128-GCM.

    • local key.

    • KMS key: Supported only if the database version is polardb-2.5.0_5.4.21-20260414 or later.

Related documents

Previous:Column encryptionNext:Integrate EncJDBC