PolarDB for PostgreSQL(Compatible with Oracle) provides the always-confidential feature. User data is encrypted at the user side before the user data is transferred to the database. The data cannot be viewed in plaintext on the server side. This improves data security.
Confidential Database is a cloud database service that is developed by Database and Storage Lab of Alibaba DAMO Academy. It allows only data owners to view data in plaintext. This way, data can be managed in a secure manner and user privacy is ensured.
Confidential Database provides end-to-end data encryption between the client side and the server side. It is a high-performance database service that provides the common capabilities of traditional databases and robust privacy protection for data. Confidential Database ensures data security by using trusted execution environments (TEEs) and digital cryptography technologies. Confidential Database is an easy-to-use database service and can be managed the same way as a common database. After data is encrypted, only data owners can view the data in plaintext.
Full ciphertext
After data is encrypted by a client, the ciphertext is sent to a database server. Then, the server sends the ciphertext and operation requests to a TEE for computing. After the computing is complete, the TEE encrypts the computing result. Then, the result is encrypted and returned to the client for decryption. This way, the data is always encrypted when the data is processed on the database server.
Robust security
A dataset can have different ciphertext forms on different database servers. These datasets can be stored as different ciphertext forms in a database server. Encryption algorithms such as Advanced Encryption Standard (AES), Rivest–Shamir–Adleman (RSA), and Chinese cryptographic algorithms can be used to ensure the security of the ciphertext. This way, attackers cannot obtain the data content or the data distribution trends.
Ease of use
PolarDB for PostgreSQL(Compatible with Oracle) supports common SQL statements. PolarDB for PostgreSQL(Compatible with Oracle) also provides various tools to help you migrate data from other cloud services to Alibaba Cloud without the need to modify the application code. Such tools include a driver for automatic encryption and decryption and a tool to convert data between plaintext and ciphertext. User operations are transparent to trusted execution hardware. This simplifies the process of using the product. Solutions that are developed based on pure cryptography can be upgraded for existing databases.
Multiple solutions
Solutions that are developed based on pure cryptography and trusted hardware are supported. You can choose a solution that meets your business needs. Each of the solutions allows you to specify the encrypted columns. This way, data that is not encrypted is not affected. This helps you balance security and performance at a granular level.
Isolation for security
The plaintext of an entity's data that is stored in PolarDB for PostgreSQL(Compatible with Oracle) can be viewed only by the entity. If a cooperative entity wants to access the data, the relevant operations must be authenticated and performed in the TEE. Then, the requested data is encrypted based on the assigned permissions before the data is sent to the cooperative entity. This way, Confidential Database is used to ensure that the cooperative entity can perform operations on the data as expected and that the operations are isolated.
Multiple TEEs
PolarDB for PostgreSQL(Compatible with Oracle) supports TEEs such as field-programmable gate arrays (FPGAs) that are developed by Alibaba Group and Intel Software Guard Extensions (SGX). You can perform diverse computing operations based on your business needs in a flexible manner. The FPGAs developed by Alibaba Group support Chinese cryptographic algorithms to improve data security.