DocsICP FilingConsole
官方文档
首页

Column encryption

更新时间:
复制 MD 格式
产品详情
我的收藏

The column encryption feature, provided by Data Security Center (DSC), allows you to encrypt sensitive data in columns of your ApsaraDB RDS for PostgreSQL instance. This prevents unauthorized personnel from accessing plaintext data using cloud platform software or database connection tools. The feature ensures that data is always available to authorized applications but remains unreadable in the database itself, protecting against internal and external threats. This makes your data on the cloud a truly private asset.

Prerequisites

  • The instance has a major engine version of ApsaraDB RDS for PostgreSQL 16 and a minor engine version of 20250228 or later.

  • The instance is in one of the following regions:

    Region type

    Region

    Chinese mainland

    China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Hangzhou), China (Shanghai), China (Shenzhen), China (Guangzhou), and China (Chengdu).

    Outside the Chinese mainland

    China (Hong Kong), Singapore (Singapore), Malaysia (Kuala Lumpur), Indonesia (Jakarta), and Germany (Frankfurt).

Overview

The column encryption feature for ApsaraDB RDS for PostgreSQL uses the AES-256-GCM algorithm and local key encryption. You can configure encryption for sensitive columns to ensure data is stored as ciphertext. Authorized users can then access the plaintext data by using a client, such as the column encryption driver (JDBC), for decryption. You can select and modify the scope of encryption, including the ApsaraDB RDS for PostgreSQL instance, database, tables, and columns, at any time.

Preparations

Before you enable column encryption, you must complete the following steps in order: activate or upgrade DSC, authorize DSC to access cloud resources, authorize database assets, and connect to the database to run a sensitive data identification task.

1. Activate or upgrade DSC

Activate DSC if you have not used it before

After you activate the DSC service and enable the column encryption feature, you receive a free quota for column encryption. To encrypt more columns, you can purchase an additional quota. The column encryption feature is available for the Free Edition, Premium Edition, Enterprise Edition, 7-day Trial Edition, and Value-added Service Only Edition of Data Security Center (DSC).

Edition

Free quotas (unit: columns)

Free Edition

1

Premium Edition

1

Enterprise Edition

10 columns.

7-day trial version

10

Value-added Service Only Edition

1

  1. Log on to your Alibaba Cloud account, and go to the Data Security Center purchase page.

  2. Select an edition, and enable column encryption.

    image

  3. Click Buy Now and complete the payment.

    You can view the feature specifications of your purchased edition on the Overview page.

For existing users: Check your DSC edition and quota, and upgrade if needed

Check your DSC edition and column encryption quota

Log on to the Data Security Center console and check the edition and column encryption quota on the Overview page:

  • DSC edition: The column encryption feature is available for users of the Free Edition, Premium Edition, Enterprise Edition, 7-day Trial Edition, and Value-added Service Only Edition.

  • Column encryption quota: Check whether the column encryption quota meets your business needs.

In the Version Information and Quota Statistics panel, check the Column encryption (columns) field. If the quota is used up, for example, 10/10, you need to increase it.

Upgrade DSC

If your DSC edition is not supported or the column encryption quota does not meet your business needs, you can upgrade the service to obtain a larger quota.

Currently, you can only upgrade from the Premium Edition to the Enterprise Edition, or expand the capabilities of your current edition (such as increasing the number of supported encrypted columns). Other editions cannot be upgraded. You can change editions in the following ways:

  • Free Edition: You can purchase a paid edition, such as the Premium Edition, Enterprise Edition, or Value-added Service Only Edition, while retaining the resources of the Free Edition.

  • Enterprise Edition or Value-added Service Only: You must request a refund and then purchase another edition. The instance and data from the original edition are then released.

  • 7-day Trial Edition: Upgrades are not supported during the trial period. After the trial ends, you can activate the Free Edition or purchase a paid edition, but the authorized resources and data will be released.

  • You cannot change the subscription duration when upgrading. The remaining service duration of the instance is unchanged.

  1. Log on to the Data Security Center console.

  2. On the Overview page, click Upgrade.

  3. Upgrade the specification of the current version.

    The upgrade page shows your current specifications. Upgrade this edition either by enabling new features such as Data Detection and Response, Column Encryption, and Log Storage, or by increasing protection and encryption quotas.

  4. Click Buy Now and complete the payment.

    You can view the updated feature specifications on the Overview page.

2. Authorize cloud resource access

After you grant the required permissions, your DSC instance can access resources from cloud services such as OSS, RDS, and MaxCompute.

  1. Log on to the Data Security Center console.

  2. In the RAM authorization dialog box, click Authorize immediately.

    Note

    If the RAM authorization dialog box does not appear, DSC is already authorized to access your cloud resources.

3. Authorize database assets

Before using DSC to scan for sensitive data or audit database activities in cloud products like RDS and PolarDB, you must authorize the asset instances.

  1. Log on to the Data Security Center console. In the left-side navigation pane, choose Asset Center.

  2. On the Authorization Management tab, click Asset Authorization Management.

  3. In the product navigation pane on the left side of the Asset Authorization Management page, select the data type that you want to authorize and click Asset synchronization.

    Note

    After you purchase a DSC instance, the console immediately runs a task to synchronize your cloud assets. You do not need to perform asset synchronization in this case. For newly added data assets, DSC scans and automatically synchronizes them to the unauthorized list of the corresponding assets every day at midnight. Existing users must manually perform Asset synchronization on the Asset Authorization Management page, which is on the Asset Center > Authorization Management tab.

  4. In the Actions column of the target asset, click Authorization.

    To authorize multiple assets at once, select the target assets and click Batch Authorize.

4. Connect and identify sensitive data

  1. Log on to the Data Security Center console. In the left-side navigation pane, choose Asset Center.

  2. On the Authorization Management tab, click Account Logon in the Actions column of the target asset instance.

  3. In the Account Logon panel, click Add Credential in the Actions column of the target database.

  4. In the Add Credential dialog box, select a credential. Leave Scan assets and identify sensitive data now. selected or clear it, and then click OK.

    If you have not created a credential, click the Create Credential tab in the Add Credential dialog box. Configure the Credential Name, Username, Password, and Credential Type for the database logon account, and then click OK.

    Important

    • If you select Scan assets and identify sensitive data now., DSC automatically creates and runs a default identification task. The identification task reads data from the database and consumes read performance. We recommend that you perform this operation during off-peak hours.

    • If you clear Scan assets and identify sensitive data now., you can manually run the default task. In the left-side navigation pane, choose Classification and Grading > Tasks. On the Identification Tasks tab, find the task in the Default Tasks list and click Rescan.

  5. Click the 展开图标 icon to the left of the database instance to view its connection and feature status.

    The connection status of the database is displayed as Connected.

Enable column encryption

  1. Log on to the Data Security Center console. In the left-side navigation pane, choose Risk Governance > Column Encryption.

    Important

    The Encryption Check column must show Passed before you can configure column encryption for the database. If it shows Failed, the major or minor engine version of the database may not support column encryption. For more information, see FAQ in this topic.

  2. Click Rapid Encryption above the database instance list to configure column encryption for all unencrypted columns.

    Alternatively, click Rapid Encryption in the Actions column of a specific database instance to configure column encryption only for that instance.

  3. In the Encryption Configuration panel, select the Asset Type, Instance name, and Plaintext Permission Accounts. Then, select the target Databases, Table, and Column to encrypt, and click OK. Note the following:

    • ApsaraDB RDS for PostgreSQL supports only the AES-256-GCM encryption algorithm and the local encryption method.

    • After encryption is configured, database accounts default to Ciphertext Permission (JDBC Decryption). By default, these accounts access the ciphertext of encrypted columns. You can use client-side code with a local key to decrypt the data and view the original plaintext.

    • If you need to directly access plaintext data, add the corresponding database account to the Plaintext Permission Accounts list. This grants the account Plaintext Permission, allowing it to directly access the plaintext data of encrypted columns.

      Important

      If you need to perform sensitive data classification and grading on the latest data in the database, the database account used as the credential (the account used to connect DSC to the ApsaraDB RDS for PostgreSQL instance) must have Plaintext Permission.

Modify column encryption

Encryption scope

After you enable column encryption, you can modify the scope of encrypted columns by individually enabling or disabling the feature for specific columns within the database instance based on your needs.

  1. Log on to the Data Security Center console. In the left-side navigation pane, choose Risk Governance > Column Encryption.

  2. In the instance list, expand the target instance. In the database list, find the target Databases, Table, and Column name, and click Enable Encryption or Disable Encryption to configure encryption for that column.

Account permissions

Except for accounts that have been granted Plaintext Permissions, all other accounts in the database instance have Ciphertext Permission (JDBC Decryption). You can change an account's permission to Plaintext Permissions or Ciphertext Permission (JDBC Decryption) based on your business needs.

  1. Log on to the Data Security Center console.

  2. On the Risk Governance > Column Encryption page, click Permission Settings in the Accounts area.

    Alternatively, in the Actions column of the instance list, click Edit. In the Edit panel, click Configure for Account Permissions.

  3. In the Permission Settings panel, search for the target instance and account to view the current permissions.

    Note

    If a newly added database account is not listed, perform Asset synchronization first and then check again.

  4. In the Actions column for the target account, click Modify Permissions.

    You can also select multiple target accounts with the same permission and click Batch Modify Permissions below the list.

  5. In the Modify Permissions dialog box, select the target permission and click OK.

Verify column encryption

You can configure database column encryption and database account permissions to verify the encryption result.

  1. Connect an ApsaraDB RDS for PostgreSQL 16 instance to DSC and complete sensitive data classification and grading. Enable column encryption for a specific column in the RDS instance, such as the birth_date column in the students01 table. Then, set the permission for one database account to Plaintext Permissions and leave another account with Ciphertext Permission (JDBC Decryption). On the column encryption status page for the data table, the birth_date column of the public.students01 table in the testdb01 database has encryption enabled (sensitivity level S2, labeled as personal information, with the AES_256_GCM encryption algorithm), while the other columns (name, sid, id, extra_info, gender) are not encrypted.

  2. Use an account with Ciphertext Permission (JDBC Decryption) to log on to the database by using Data Management Service (DMS). Run the SELECT * FROM students01; statement to view the data table. When queried with an account that has Ciphertext Permission (JDBC Decryption), the birth_date column returns an encrypted ciphertext string instead of a plaintext date.

  3. Use an account with Clear text permission to log on to the database by using Data Management Service (DMS). Run the SELECT * FROM students01; statement to view the data table. The encrypted column returns plaintext data.

Client usage

If your database account has Ciphertext Permission (JDBC Decryption), you can use the column encryption driver (JDBC) to connect to the target RDS database. This allows your Java application to access encrypted column data. The JDBC driver automatically decrypts the ciphertext and returns plaintext data, making the process transparent to the application. For more information, see column encryption driver (JDBC).

FAQ

Failed encryption check

If the version of the authorized ApsaraDB RDS for PostgreSQL database is not PostgreSQL 16, the minor engine version is earlier than 20250228, or it is a read-only instance, the Encryption Check column displays Failed.

  • Unsupported database version

    If you need to configure column encryption for the target RDS database, go to the RDS instance list, find the target instance, and upgrade the major engine version. For more information, see Upgrade the major engine version.

  • Unsupported minor engine version

    In the asset list on the Asset Management page, if the Encryption Check column for the target RDS instance displays Failed, an update the minor engine version link appears next to it.

    If you need to configure column encryption for the target RDS database, click Update Minor Engine Version, select an Upgrade Version and an Update Time, and then click OK. The RDS database supports column encryption only after the minor engine version is upgraded. For detailed instructions, see Update the minor engine version.

    Upgrading the minor engine version restarts the instance and causes a transient disconnection of about 30 seconds. We recommend that you perform this operation during off-peak hours and ensure that your application has an automatic reconnection mechanism.

  • Read-only instance

    Data in a read-only instance is copied from a secondary instance and remains consistent with the primary instance. Updates to the primary instance are automatically synchronized to all read-only instances. Therefore, you must configure column encryption on the primary instance.

After you upgrade the version, you must perform asset synchronization in the DSC console to update the database information.

  1. In the left-side navigation pane, choose Asset Center. Then, on the Authorizations tab, click Asset Authorization Management.

  2. In the product navigation pane on the left side of the Asset Authorization Management page, click the target instance type.

  3. On the Asset Authorization Management page, click Asset synchronization.

Related content

Previous:Enable TDENext:Column encryption driver (JDBC)