Database Autonomy Service (DAS) provides column-level encryption to protect sensitive data in your databases, such as ApsaraDB RDS for MySQL, ApsaraDB RDS for PostgreSQL, PolarDB for MySQL, and PolarDB for PostgreSQL. This feature enables you to encrypt specific data columns. Authorized users can then decrypt and access the plaintext data through a dedicated client driver.
Supported regions and databases
Database | Region |
| China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Shenzhen), China (Chengdu), and China (Hong Kong) |
PolarDB for PostgreSQL (Compatible with Oracle) | China (Hangzhou) and Malaysia (Kuala Lumpur) |
Prerequisites
Authorize the instance for sensitive data detection and column encryption on the Instances page.
Purchase DAS Security Center and ensure that you have a sufficient quota for column encryption.
Ensure that the region of your instance supports the column encryption feature. For more information, see Product series and supported features.
Complete a sensitive data detection task. For more information, see Manage sensitive data detection.
Billing information
DAS provides a free quota to encrypt one column. To encrypt more columns, enable the Column Encryption service and purchase a sufficient Column Encryption Quota. This service is billed on a subscription basis. For more information, see Billing.
If you set Encryption Method to KMS Key in the column encryption configuration, Key Management Service (KMS) charges a fee for the managed key. For more information, see Product Billing.
Encryption limitations
Supported database type | Supported version | Supported encryption algorithm | Supported encryption method | Supported permission |
ApsaraDB RDS for MySQL | The major engine version is MySQL 5.7 or MySQL 8.0. The minor engine version is greater than or equal to 20240731. |
|
|
|
ApsaraDB RDS for PostgreSQL | The major engine version is PostgreSQL 16. The minor engine version must be greater than or equal to 20241230. | AES-256-GCM. | Local keys. |
|
PolarDB for MySQL | The major engine version is MySQL 5.7 or MySQL 8.0. The database proxy version must be greater than or equal to 2.8.36. Important If you configure column encryption policies for a PolarDB for MySQL cluster, you must use a cluster endpoint to connect to the cluster in read/write mode. If you use a primary endpoint, column encryption policies do not take effect. For more information, see Configure database proxy and Manage endpoints. | AES-128-GCM. | Local keys. | |
PolarDB for PostgreSQL | The major engine version is PostgreSQL 14. The minor engine version must be greater than or equal to 2.0.14.15.31.0. | AES-256-GCM | Local keys. |
Procedure
Log on to the DAS console.
In the navigation pane on the left, click .
Click One-click Encryption in the Actions column of the target instance and configure the encryption policy.
NoteFor an instance that already has an encryption policy, click Edit in the Actions column to modify the policy.
In the Encryption Configuration panel, select the Asset Type, Instance Name, Encryption Algorithm, Encryption Method, and Plaintext Permission Accounts. Then, select the target Database, Table, and Column, and click OK.
In the instance list, click the
icon to the left of the target instance to expand the database, table, and column information.In the Actions column of the expanded list, click Disable Encryption or Enable Encryption, and then click OK in the dialog box that appears.
References
Integrate with EncJDBC: Use the EncJDBC driver to access the plaintext of encrypted columns from a Java application.
Integrate with the Go driver: Use the alibabacloud-encdb-mysql-go-client driver to access the plaintext of encrypted columns from a Go application.