The column encryption feature in Data Security Center (DSC) protects your data by encrypting specific columns in your database for storage. This feature secures sensitive data in databases such as RDS for MySQL, RDS for PostgreSQL, PolarDB for MySQL, PolarDB for PostgreSQL, PolarDB for PostgreSQL (Compatible with Oracle), and PolarDB-X 2.0. It prevents unauthorized personnel from using cloud platform software or database connection tools to directly access sensitive data in plaintext. This helps you mitigate internal and external security threats and ensure data security.
Function introduction
The column encryption feature in Data Security Center includes two main parts: encryption settings and account permission management. Encryption settings define the encryption algorithm, method, and scope, such as database instances, databases, tables, and columns. Account permission management controls which database accounts can access the encrypted data and their permissions.
Encryption principles
Encryption algorithms: Column encryption uses industry-standard encryption algorithms such as SM4_128_GCM, AES-128-GCM, and AES-256-GCM to encrypt data in specified columns.
Encryption methods: Column encryption supports two methods for managing encryption keys for a specified database.
Local key: Generate and store the encryption key in your local environment.
KMS key (Recommended): Use Key Management Service (KMS) to host the encryption key for the specified database. DSC supports using a customer master key that you create or manage in KMS. For more information about key types, see Key types.
Account permissions:
An account refers to a database account that is pulled from a database authorized for DSC. Supported databases include RDS for MySQL, RDS for PostgreSQL, PolarDB for MySQL, PolarDB for PostgreSQL, PolarDB for PostgreSQL (Compatible with Oracle), and PolarDB-X 2.0.
The permissions are described as follows:
Permission
Description
Ciphertext Permission (JDBC Decryption)
By default, the account can access the ciphertext of encrypted columns. The account can use an always-confidential client driver through an SDK to decrypt the data with a local key or a KMS key and view the plaintext.
Ciphertext Permission (no Decryption Permission)
The account can only access the ciphertext of encrypted columns. It cannot decrypt the data to view the plaintext by any means.
Plaintext Permission
After you enable column encryption for a database, an account with plaintext permission is not affected by the encryption settings and can directly access the plaintext data in encrypted columns.
Database encryption limits
Supported database type | Supported versions | Supported encryption algorithms | Supported encryption methods | Supported permissions |
RDS for MySQL | Major version is MySQL 5.7 or MySQL 8.0, and the minor engine version is 20240731 or later. |
Note Only AES_128_GCM is supported in regions outside the Chinese mainland. |
|
|
RDS for PostgreSQL | Major version is PostgreSQL 16, and the minor engine version must be 20241230 or later. | AES_256_GCM. | Local key. |
|
PolarDB for MySQL | Major version is MySQL 5.7 or MySQL 8.0, and the database proxy version must be 2.8.36 or later. Important If you set a column encryption policy for a PolarDB for MySQL database, you must use the database proxy endpoint (read/write splitting mode) to connect to the database. If you use the primary endpoint, the column encryption policy does not take effect. For more information, see Configure a database proxy and Manage endpoints. | AES_128_GCM. | Local key. | |
PolarDB for PostgreSQL | Major version is PostgreSQL 14, and the database version is 2.0.14.15.31.0 or later. | AES_256_GCM. | Local key. | |
PolarDB for PostgreSQL (Compatible with Oracle) | Only Oracle syntax compatibility 2.0 is supported. The major version is PostgreSQL 14, and the database version is 2.0.14.15.31.0 or later. | AES-256-GCM. | Local key. | |
PolarDB-X 2.0 | Database version is polardb-2.5.0_5.4.20-20250714_xcluster8.4.20-20250703 or later. |
| Local key. |
Billing
DSC provides a free quota to encrypt one column. To encrypt more columns, you must enable the Column Encryption service and purchase a sufficient Number Of Encrypted Columns. This service is billed on a subscription basis. For more information about billing, see Billing overview.
If you set the Encryption Method to KMS Key in the column encryption configuration, KMS charges a fee for hosting the key. For more information about billing, see Product billing.
Usage flow
Column encryption configuration flow
The following figure shows the flow for configuring column encryption for a target database. For more information, see Configure column encryption for a database.
Example of accessing encrypted column data
After you configure column encryption, when a database account with ciphertext permission queries an encrypted column, the database returns the data in ciphertext. You can decrypt the data on the client to obtain the plaintext. This ensures that the data remains encrypted during transmission between the client and the database.
Client usage
Alibaba Cloud provides always-confidential client drivers for Java and Go. You can use a database account with Ciphertext permission (JDBC decryption) to decrypt and access the plaintext data in encrypted columns of a target database.
Programming language | Supported database types | References |
Java |
| Integrate EncJDBC (Supports decryption using local keys and KMS keys) |
Go |
| Integrate the Go driver (Supports decryption using local keys only) |