This topic provides answers to some frequently asked questions about data masking and column encryption of the risk governance feature in Data Security Center (DSC).
Does static data masking affect raw data?
No, static data masking does not affect raw data. The static data masking feature only reads data, masks data, and saves the masked data to the location that you specify. The static data masking feature does not modify the raw data.
Does DSC support image masking?
No, DSC does not support image masking.
What are the format requirements when I select Object Storage Service (OSS) as the destination for a static data masking task?
Only the CSV and XSL formats are supported.
Does DSC support data masking for ApsaraDB for Redis?
No. DSC provides only the baseline check feature for ApsaraDB for Redis. For more information, see Security baseline check.
What prerequisites must be met before I configure column encryption rules for PolarDB for MySQL or ApsaraDB RDS for MySQL instances?
ApsaraDB RDS instances that run MySQL 5.7 or MySQL 8.0 and whose minor engine version is 20240731 or later
PolarDB for MySQL instances that run MySQL 5.7 or MySQL 8.0 and whose database proxy version is 2.8.36 or later
Sufficient columns are purchased for column encryption. For more information, see Purchase DSC or Specification change of subscription DSC.
DSC is authorized to access the data assets in the ApsaraDB RDS and PolarDB instances that you want to manage. For more information, see Authorize DSC to access databases.
Sensitive data column identification is performed on the authorized ApsaraDB RDS for MySQL and PolarDB for MySQL instances. For more information, see Identify sensitive data by using identification tasks.
For more information, see Column encryption.
Why am I unable to find the authorized ApsaraDB RDS and PolarDB instances on the Column Encryption page?
If the authorized ApsaraDB RDS and PolarDB instances do not run MySQL, the instances are not displayed on the page.
What do I do if the ApsaraDB RDS instance and PolarDB instance fail the encryption check?
Failed is displayed in the Encryption Check column in the following scenarios:
The authorized ApsaraDB RDS instance does not run MySQL 5.7 or MySQL 8.0.
If you want to enable column encryption for the ApsaraDB RDS for MySQL instance, go to Instances, find the instance, and then upgrade the database version. For more information, see Upgrade the major engine version.
The minor engine version of the instance is earlier than 20240731.
If you want to enable column encryption for the ApsaraDB RDS for MySQL instance, click Update Minor Engine Version, configure the Latest Version and Update Time parameters, and then click OK to update the minor engine version of the instance. For more information, see Update the minor engine version. Column encryption can be enabled for the RDS instance only after the minor engine version of the instance is updated.
The database instance is a read-only instance.
When a read-only RDS instance is being created, ApsaraDB RDS replicates data from the secondary RDS instance to the read-only RDS instance. After the read-only RDS instance is created, the instance has the same data as the primary RDS instance. After the data on the primary RDS instance is updated, ApsaraDB RDS immediately synchronizes the updates to all read-only RDS instances that are attached to the primary RDS instance. We recommend that you enable the column encryption feature for the primary RDS instance.
Failed is displayed in the Encryption Check column in the following scenarios:
The authorized PolarDB for MySQL instance does not run MySQL 5.7 or MySQL 8.0.
If you want to enable column encryption for the PolarDB for MySQL instance, go to the PolarDB console, find the instance, and then upgrade the database engine version. For more information, see Major version upgrade.
The database proxy version is not supported.
If you want to enable the column encryption feature for the PolarDB for MySQL instance, update the database proxy version. For more information, see Minor version update. You can enable the column encryption feature for the PolarDB instance only after the database proxy version of the instance is updated.