Fully encrypted database

How it works

The core principle is client-side encryption, managed by a specialized JDBC driver. You retain full control over the encryption keys.

1. Application: Your application connects through the EncJDBC driver instead of a standard JDBC driver.

2. Configuration: You define an encryption policy in DSC, specifying which databases, tables, and columns to encrypt.

3. Encryption: When your application writes data, EncJDBC intercepts it, applies the DSC policy, and encrypts values in the specified columns using keys you manage.

4. Database: PolarDB-X receives and stores only ciphertext. All operations—queries, indexes—run on encrypted data.

5. Decryption: When your application reads data, EncJDBC retrieves the ciphertext and decrypts it before returning plaintext to your application.

Key features

PolarDB-X Fully Encrypted Database offers the following capabilities:

• Seamless integration: Replace your standard JDBC driver with EncJDBC. No changes to application logic required.

• Flexible encryption configuration: Use DSC to select which columns to encrypt, balancing security with performance.

• Granular permission management: Assign plaintext or ciphertext access per database account. Authorized accounts see plaintext; O&M and developer accounts see only ciphertext.

• Key protection: You control the encryption keys. Keys are passed to EncJDBC at runtime and exist only in client memory—never stored on the database server.

Use cases

Typical use cases for the fully encrypted database:

• Protect application data from cloud administrators: Encrypt sensitive data in the application before it reaches the database, preventing cloud staff and database administrators from viewing plaintext.

• Ensure end-user privacy with end-to-end encryption: Perform encryption on end-user devices (such as mobile apps) so that even the application provider cannot access plaintext user data.

• Enable secure data sharing: Share encrypted datasets with third parties without exposing encryption keys, enabling secure collaboration while maintaining data ownership.

Before you start

• Instance version: polardb-2.5.0_5.4.20-20250714_xcluster8.4.20-20250703 or later.

  Note

  • For information about the instance version naming rules, see Release notes.

  • For information about how to view the version of an instance, see View and update the engine version of a PolarDB for Xscale instance.

• You have purchased Data Security Center (DSC) with a sufficient column encryption authorization quota. If your quota is insufficient, upgrade your DSC edition.

  Note

  Ensure that the region of your Data Security Center instance supports the column encryption feature. For more information, see Supported regions.

Billing

The fully encrypted database feature is free of charge.

However, this feature requires Data Security Center (DSC), which is a paid service. Ensure you have a sufficient column encryption authorization quota. For detailed pricing, see Billing.

Limits

• Performance overhead

  Client-side encryption consumes CPU on your application server, increasing with the number of encrypted columns. In TPC-C benchmarks, encrypting all columns incurs approximately 10% overhead. Encrypt only sensitive columns to balance security and performance. For more information, see the Performance test report.

• Protocol limitation

  The fully encrypted database supports only the text protocol, not the binary protocol. Your application cannot use JDBC PreparedStatement calls for encrypted data because prepared statements use the binary protocol. Use standard statements for all queries on encrypted columns.