PolarDB provides end-to-end encryption for data. User data is encrypted at the user side before the user data is transferred to PolarDB. The data cannot be viewed in plaintext on the server side. This improves data security.
EncDB is a cloud database service that supports end-to-end data encryption. EncDB is developed by Database and Storage Lab of Alibaba DAMO Academy. EncDB allows only data owners to view data in plaintext. This way, data can be managed in a secure manner and user privacy is ensured.
EncDB provides end-to-end data encryption between the client side and the server side. EncDB is a high-performance database service that provides the common capabilities of traditional databases and robust privacy protection for data. EncDB ensures data security by using trusted execution environments (TEEs) and digital cryptography technologies. EncDB is an easy-to-use database service and can be managed the same way as a common database. After data is encrypted, only data owners can view the data in plaintext.
After data is encrypted by a client, the ciphertext is sent to a database server. Then, the server sends the ciphertext and operation requests to a TEE for computing. After the computing is complete, the TEE encrypts the computing result. Then, the result is encrypted and returned to the client for decryption. This way, the data is always encrypted when the data is processed on the database server.
Datasets that have the same plaintext are considered as the same datasets. These datasets can be stored as different ciphertext forms in a database server. Encryption algorithms such as Advanced Encryption Standard (AES), Rivest–Shamir–Adleman (RSA), and Chinese cryptographic algorithms can be used to ensure the security of the ciphertext. This way, attackers cannot obtain the data content or the data distribution trends.
Ease of use
PolarDB supports common SQL statements. PolarDB provides various tools to help you migrate data from other cloud services to Alibaba Cloud without the need to modify the application code. For example, PolarDB provides a driver for automatic encryption and decryption and also provides a tool to convert data between plaintext and ciphertext. Users' operations are transparent to trusted execution hardware. This simplifies the process of using PolarDB. Solutions that are developed based on pure cryptography can be upgraded for existing databases.
Solutions that are developed based on pure cryptography and trusted hardware are supported. You can choose a solution that meets your business needs. Each of the solutions allows you to specify the encrypted columns. This way, data that is not encrypted is not affected. This helps you balance security and performance at a granular level.
Isolation for security
The plaintext of an entity's data that is stored in PolarDB can be viewed only by the entity. If a cooperative entity wants to access the data, the relevant operations must be authenticated and performed in the TEE. Then, the requested data is encrypted based on the assigned permissions before the data is sent to the cooperative entity. This way, EncDB is used to ensure that the cooperative entity can perform operations on the data as expected and that the operations are isolated.
PolarDB supports TEEs such as field-programmable gate arrays (FPGAs) that are developed by Alibaba Group and Intel Software Guard Extensions (SGX). You can perform diverse computing operations based on your business needs in a flexible manner. The FPGAs developed by Alibaba Group support Chinese cryptographic algorithms to improve data security.