Column encryption

更新时间:
复制 MD 格式

To enhance the security of sensitive columns in PolarDB for PostgreSQL and and prevent unauthorized users from accessing plaintext data, you can use the column encryption feature of Data Security Center (DSC). This feature ensures data remains available within the database while being invisible to unauthorized users. It helps you defend against external and internal security threats, making your cloud data a private asset.

Prerequisites

  • Kernel version: The major version of your instance must be PostgreSQL 14 or , and the minor kernel version must be 2.0.14.15.31.0 or later.

    Note

    You can view the minor kernel version on the console or by running the SHOW polardb_version; command. If the minor kernel version does not meet the requirement, you must upgrade the minor kernel version.

    You can view the minor kernel version in the console or run the SHOW polardb_version; command. If the minor kernel version requirement is not met, upgrade the minor kernel version.

  • Instance region:

    Region type

    Region

    Chinese mainland

    China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Hangzhou), China (Shanghai), China (Shenzhen), China (Guangzhou), and China (Chengdu).

    Regions outside the Chinese mainland

    China (Hong Kong), Singapore (Singapore), Malaysia (Kuala Lumpur), Indonesia (Jakarta), and Germany (Frankfurt).

Features

The column encryption feature for PolarDB for PostgreSQL and is a feature of DSC. It uses the AES-256-GCM encryption algorithm with local keys to encrypt sensitive data columns. This ensures that sensitive data is stored in an encrypted format. Authorized users can decrypt and access the plaintext data using a fully encrypted client. You can select and modify the encryption scope, including which PolarDB for PostgreSQL and instances, databases, tables, and columns to encrypt.

Before you begin

Before you enable column encryption, you must complete these steps: purchase or upgrade your DSC service, authorize DSC to access cloud resources, authorize database assets, connect to the database, and run a sensitive data identification task.

1. Purchase or upgrade DSC

The column encryption feature is available to users of the Free, Advanced, Enterprise, 7-day Free Trial, and Value-added Service Plan editions of Data Security Center (DSC).

  • If you are new to Data Security Center, activate the service: Purchase Data Security Center.

  • If you are an existing Data Security Center user, check your DSC edition and column encryption quota, and upgrade if necessary: Log on to the Data Security Center console and check your DSC edition and column encryption quota on the Overview page. If you have not enabled the column encryption feature or your quota is insufficient, you can upgrade your edition.

2. Authorize DSC access

After you grant authorization, the DSC instance can access resources from cloud services such as PolarDB, RDS, OSS, and MaxCompute.

  1. Log on to the Data Security Center console.

  2. In the RAM-based Authorization dialog box, click Authorize.

Note

If the RAM-based Authorization dialog box does not appear, DSC is already authorized to access your cloud resources.

3. Synchronize database assets

Before you can use DSC to detect sensitive data in cloud products (including PolarDB and RDS) or audit database activities, you must synchronize your assets.

  1. In the left-side navigation pane, choose Asset Center.

  2. On the Asset Center page, click Asset synchronization.

    Note

    After you purchase a DSC instance, the system automatically runs a task to synchronize your cloud assets the first time you log on to the console. You do not need to perform this step manually. DSC automatically scans and synchronizes the asset list every day at midnight.

4. Enable classification and grading

To use column encryption, you must first authorize a database connection and complete a data identification task.

  1. In the left-side navigation pane, choose Asset Center.

  2. In the Structured Data section on the left, click the data type for which you want to configure column encryption.

  3. Click the image icon in the Data Classification column for the target asset instance.

    Note

    Ensure that you have created a database in the instance and that the Instance Status is Running. If no database is created, you cannot enable data classification and grading or create identification tasks.

    image

  4. In the Enable Classification and Grading dialog box, configure the parameters as described in the following table.

    Parameter

    Description

    Activation Method

    Configure the account information that is used to connect to the database for data detection. Two methods are supported:

    • Automatically create database accounts : DSC automatically creates a read-only account that starts with the sddp_auto prefix in the target data asset. DSC uses this account to connect to the target database and perform data detection tasks.

      Note

      This method is available only for data types that support one-click enablement.

    • Manually enter username and password: Enter the account and password that you use to connect to the database.

    Authorization Scope

    The authorization scope for data detection.

    • Entire data source.

    • Manage authorization scope in the data source list: Select the desired authorization scope.

    Automatically create and start a default scan task

    If you select this option, DSC automatically creates a default scan task after the database is successfully connected.

    On the Classification and Grading > Tasks > Identification Tasks tab, you can click Default Tasks to view the execution status of the scan task. For more information, see Scan for sensitive data using a detection task.

    Automatically connect to new databases.

    If you select this option, DSC automatically connects to new databases that are detected in your database instance after a manual or automatic asset sync.

  5. After you configure the parameters, click OK.

5. Review database information

After the data identification task is complete, review the information for the database instances connected to DSC. This includes Total columns, Column encryption status, and Database account information.

  1. In the left-side navigation pane, choose Risk Governance > Column Encryption.

  2. On the Column Encryption page, review the information. You can use the search components above the database list to filter by criteria such as asset type, encryption status (Encrypted, Not Encrypted, or Encryption Failed), and sensitivity level to find and view information about target database instances.

    Sensitivity level descriptions

    Sensitivity level

    Description

    N/A

    Indicates that no sensitive data defined by this template was detected.

    S1

    Non-sensitive data. Disclosing this type of data is highly unlikely to cause any harm. Examples include provinces, cities, and product names.

    S2

    Generally sensitive data. This data is not suitable for public disclosure, but a leak would result in a low level of harm. Examples include names and addresses.

    S3

    Critical sensitive data. This data is highly sensitive, and even a small leak could cause serious harm. Examples include ID numbers, account passwords, and database credentials.

    S4

    Core confidential data. This data must not be disclosed under any circumstances. Examples include genetic data, fingerprints, and iris scans.

    image

    Page information

    Description

    Columns

    The total number of columns in all tables of the database instances connected to DSC.

    Sensitive Data (S3 and Higher)

    Columns with a sensitivity level of S3 or higher, as determined by the data identification task. This includes information about sensitive columns, encrypted columns, unencrypted columns, and columns where encryption failed.

    Accounts

    • Total Accounts: DSC counts each account in each database as one database account. For example, if both Database A and Database B have Account C, this is counted as two database accounts.

    • Accounts For Which No Encryption Configured: If no columns in the database have encryption enabled, the account permission is Accounts For Which No Encryption Configured.

    • The count of accounts with Plaintext Permissions or Ciphertext Permission: When column encryption is enabled for a database, you can set permissions for database accounts to access encrypted column data.

    You can click any of the numbers in these statistics or click Permission Settings to open the Permission Settings panel. There, you can search for and view all account information for the target database instance to confirm and set different access permissions for different database accounts.

    List information

    Displays information such as Instance name, Asset Type, Region, Encryption Algorithm, Plaintext Permission Accounts, and Encryption Check for the DSC instance.

    • You can configure column encryption only for instances that have Passed the encryption check.

    • The Encryption Check result is "Failed". If the database version is incompatible, click Upgrade in the Encryption Check column to go to the corresponding upgrade page in the RDS or PolarDB console and upgrade the database version. For more information, see Common issues for failed checks.

    After upgrading the version or updating the status, you must run an Asset synchronization on the DSC console to synchronize the latest database information.

    1. In the left-side navigation pane, choose Asset Center. On the Authorization Management tab, click Asset Authorization Management.

    2. In the left-side navigation pane of the Asset Authorization Management panel, click the target instance type (RDS or PolarDB), and then click Asset synchronization.

Enable column encryption

After you confirm the target database instance information and the Encryption Check shows Passed, complete the column encryption configuration.

  1. Click Rapid Encryption above the database instance list to configure column encryption for all unencrypted columns. Alternatively, click Rapid Encryption in the Actions column for a target database instance to configure column encryption for that instance.

  2. In the Encryption Configuration panel, select the Asset Type, Instance name, Encryption Algorithm, Encryption Method, and Plaintext Permission Accounts. Then, select the target Databases, Table, and Column for which you want to configure column encryption, and click OK. Note the following:

    • While DSC supports multiple encryption algorithms, PolarDB for PostgreSQL and currently only support the AES-256-GCM encryption algorithm and the Local Encryption method.

    • After you configure encryption, the default permission for PolarDB for PostgreSQL, , and database accounts is Ciphertext Permission (JDBC Decryption). These accounts access ciphertext data by default and can use client-side code with a local key to decrypt and view the original plaintext data.

    • If you need to access plaintext data directly, you can add the corresponding database account to the Plaintext Permission Accounts list. This account will have plaintext permission and can directly access the plaintext data of encrypted columns.

      Important

      If you need to perform sensitive data classification on the latest data in the database, the database account used as a credential (the account used to connect DSC to the PolarDB for PostgreSQL, , or cluster) must have plaintext permission.

Modify encryption configuration

Modify encryption scope

After you enable column encryption, you can modify the encryption scope by enabling or disabling column encryption for specific columns within a database instance as needed.

  1. In the left-side navigation pane, choose Risk Governance > Column Encryption.

  2. In the instance list, expand the target instance. In the database list, find the target Databases, Table, and Column, and then click Enable Encryption or Disable Encryption to configure encryption for a single column.

Modify account permissions

Except for accounts that are set to Plaintext Permissions, all other accounts in the database instance have Ciphertext Permission (JDBC Decryption). You can modify account permissions to Plaintext Permissions or Ciphertext Permission (JDBC Decryption) based on your business requirements.

  1. On the Risk Governance > Column Encryption page, click Permission Settings in the Accounts area.

    Alternatively, in the instance list, click Edit in the Actions column. In the Edit panel, click Configure for Account Permissions.

  2. In the Permission Settings panel, search for the target instance and account to view the current permissions.

    Note

    If a newly added database account is not visible in the list, run an Asset synchronization first.

  3. Click Modify Permissions in the Actions column for the target account.

    You can also select multiple target accounts that have the same permission and click Batch Modify Permissions below the list.

  4. In the modify permission dialog box, select the target permission and click OK.

Verify encryption results

You can verify access to encrypted columns based on the column encryption and database account permissions you have configured.

Note

The column encryption feature is not fully compatible with third-party clients (for example, you may experience issues when you view encrypted data by using Data Management (DMS)), so we recommend that you use the column encryption driver (JDBC) or the PolarDB-Tools client to access encrypted data.

For example, assume the birth_date column in the students01 table of a test PolarDB for PostgreSQL, , or cluster is encrypted. One database account in the cluster is granted Plaintext Permissions, while another account retains Ciphertext Permission (JDBC Decryption).

On the Column Encryption page, you can expand a PolarDB instance to view the sensitivity level, encryption status, and available actions for each column. Columns that have been encrypted, such as a column with sensitivity level S2, show an Encrypted status, and you can click Disable Encryption. Unencrypted columns show a Not Encrypted status, and you can click Enable Encryption.

  1. Connect to the database using the account with Ciphertext Permission (JDBC Decryption). Run the SELECT * FROM students01; statement. The encrypted column returns ciphertext data.

  2. Connect to the database using the account with Plaintext Permissions. Run the SELECT * FROM students01; statement. The encrypted column returns plaintext data. The query results show that the students01 table contains four columns: id, sid, name, and birth_date. The birth_date column, which was encrypted, now displays plaintext dates such as 1991-04-16 and 2005-05-13.

Client usage

If your database account has ciphertext permission (JDBC decryption), you can use the column encryption driver (JDBC) to connect to a PolarDB for PostgreSQL cluster and access encrypted column data from your Java application. The JDBC driver automatically decrypts ciphertext data and returns plaintext data. The process is transparent to the application. For more information, see column encryption driver (JDBC).

FAQ

PolarDB: What to do if a cluster fails the encryption check?

First, confirm that the PolarDB for PostgreSQL or cluster is in the Running state. Column encryption cannot be configured for clusters that are not running.

Second, if the version of the connected PolarDB for PostgreSQL or database is not PostgreSQL 14 or , or if the minor kernel version is earlier than 2.0.14.15.31.0, the Encryption Check column shows Failed.

Solution

  • Unsupported database version

    You cannot currently upgrade the major version of PolarDB for PostgreSQL and clusters. You can create a new cluster that meets the version requirements and then migrate data from your current database to the new cluster using migration between PolarDB for PostgreSQL instances or .

  • Unsupported kernel version

    If you need to configure column encryption for the target PolarDB cluster, go to Settings and Management > Version Management and click Upgrade Kernel Only. Then, click Upgrade Now, select the minor kernel version to which you want to upgrade, and confirm the upgrade. For more information, see Version Upgrade. The PolarDB database supports column encryption only after the database kernel is upgraded.

After you upgrade the kernel version, you must synchronize assets on the Data Security Center console to update the database information.

  1. In the left-side navigation pane, choose Asset Center.

  2. On the Asset Center page, click Asset synchronization.

Related content