DocsICP FilingConsole
官方文档
首页

Go driver

更新时间:
复制 MD 格式
产品详情
我的收藏

After enabling column encryption for an ApsaraDB RDS for MySQL or PolarDB for MySQL database, use the alibabacloud-encdb-mysql-go-client driver in your Go application to access plaintext data from encrypted columns.

Background information

Column encryption enhances data security by storing data as ciphertext in specific columns. Authorized clients can transparently access this data as plaintext.

Alibaba Cloud provides alibabacloud-encdb-mysql-go-client, a client-side Go driver. To access an encrypted database, use this driver to connect and specify a master encryption key (MEK) in the database connection URL. The driver automatically decrypts ciphertext and returns plaintext data.

The client and server use a secure asymmetric encryption protocol to transmit the MEK. This process establishes a shared key between them for secure symmetric data encryption.

Value range: A 16-byte hexadecimal string, which is 32 characters long.

Warning

The MEK is the root credential that authorizes your client to access encrypted data. For security reasons, the encrypted database does not store or manage your MEK, nor does it offer MEK generation or backup services. You are responsible for generating your own MEK. Safeguarding the MEK is critical for your database security. We recommend that you back up your MEK in a secure location.

Prerequisites

  • Column encryption is configured for the target database, and the target database account is granted the Ciphertext Permission (JDBC Decryption). For more information about how to configure column encryption and details on account permissions, see Configure column encryption for databases.

  • You have obtained the connection information for the encrypted database, including the endpoint, port, database name, database account, and password.

Usage notes

  • Securely store your master encryption key (MEK).

  • Go version 1.18 or later is required.

Client integration

1. Get the driver

alibabacloud-encdb-mysql-go-client is fully compatible with the community Go MySQL Driver and the standard Go database/sql/driver interface, enabling integration into your application without code changes.

The driver is open source on GitHub. For more information, see alibabacloud-encdb-mysql-go-client .

To get the driver, run the following command:

go get github.com/aliyun/alibabacloud-encdb-mysql-go-client@latest

2. Configure MEK and connect

Note

  • You can use an ampersand (&) to join multiple parameters in the URL.

  • The client processes the MEK locally and uses envelope encryption to securely send it to the server, ensuring the MEK is not leaked.

Sample code:

// Replace the placeholders with your actual endpoint (hostname), port number (port), database name (dbname), username, and password.
db, err := sql.Open("encmysql", "<username>:<password>@tcp(<hostname>:<port>)/<dbname>?MEK=00112233445566778899aabbccddeeff")
if err != nil {
    panic(err)
}

3. Query plaintext data

Sample code:

// Send a query.	
rows, err := db.Query("SELECT * FROM sddp_test_mask")
if err != nil {
    log.Fatalf("Failed to query data: %v", err)
}
// Make sure to close the result set after use.
defer rows.Close() 
// Define variables to store the data for each row.
var id int
var name string
var password string
var age int
// Iterate over each row of data.
for rows.Next() {
    // Scan the data of the current row into variables.
    err := rows.Scan(&id, &name, &password, &age)
    if err != nil {
        log.Fatalf("Failed to scan row: %v", err)
    }
    // Print the data of the current row.
    fmt.Printf("read data: id=%d, name=%s, password=%s, age=%d\n", id, name, password, age)
}

Complete code example

The following example uses a database account with the Ciphertext Permission (JDBC Decryption) to query plaintext data from encrypted columns in a PolarDB for MySQL database.

The database configuration used in this example is detailed in the Column encryption example for a PolarDB for MySQL database section of the Column encryption topic.

package main
import (
    "database/sql"
    "fmt"
    "log"
    _ "github.com/aliyun/alibabacloud-encdb-mysql-go-client"
)
func main() {
    // Replace the placeholders with your actual endpoint (hostname), port number (port), database name (dbname), username, and password.
    db, err := sql.Open("encmysql", "sddp_02:He******4@tcp(polar***.rwlb.rds.aliyuncs.com:3306)/sddp_test?MEK=00112233445566778899aabbccddeeff")
    if err != nil {
        panic(err)
    }
    rows, err := db.Query("SELECT * FROM user3 LIMIT 3")
    if err != nil {
        log.Fatalf("Failed to query data: %v", err)
    }
    // Make sure to close the result set after use.
    defer rows.Close() 
    // Define variables to store the data for each row.
    var id int
    var name string
    var password string
    var age int
    // Iterate over each row of data.
    for rows.Next() {
        // Scan the data of the current row into variables.
        err := rows.Scan(&id, &name, &password, &age)
        if err != nil {
            log.Fatalf("Failed to scan row: %v", err)
        }
        // Print the data of the current row.
        fmt.Printf("read data: id=%d, name=%s, password=%s, age=%d\n", id, name, password, age)
    }
}

After running the code, the decrypted output is similar to the following:

read data: id=1, name=2clxxx, password=xxx, age=3
read data: id=2, name=RZlxxx6Z=, password=)xxxv9>, age=4
read data: id=3, name=!xxxrm, password=kxxxS, age=5
Previous:Integrate EncJDBCNext:Performance test overview