All Products
Search
Document Center

Data Security Center:Column encryption

Last Updated:Jun 04, 2026

The column encryption feature of Data Security Center (DSC) encrypts specific columns in ApsaraDB RDS for MySQL, ApsaraDB RDS for PostgreSQL, PolarDB for MySQL, PolarDB for PostgreSQL, PolarDB for PostgreSQL (Oracle Compatible), and PolarDB-X 2.0 databases to prevent unauthorized users from accessing plaintext sensitive data through cloud platform software or database connection tools, helping mitigate both internal and external security threats.

Benefits

  • No application changes required: The client driver handles encryption and decryption transparently, requiring no application changes.

  • Low performance overhead: TPC-C benchmark tests show that performance reaches over 93% of plaintext operations.

  • End-to-end cryptographic protection: Data is always returned as ciphertext. Even if database credentials are compromised, the data remains secure.

  • Full SQL support: All native SQL query functions work on encrypted data without limitations.

  • Secure key management: You can specify which keys to use. Keys are immediately destroyed when the service is terminated, and key updates and rotation are supported.

Key concepts

Column encryption in DSC has two parts: encryption settings and account permission management. Encryption settings define the algorithm, method, and scope (instances, databases, tables, and columns). Account permission management controls which database accounts can access encrypted data and their permission level.

  • Encryption algorithm: Column encryption uses industry-standard SM4-128-GCM, AES-128-GCM, and AES-256-GCM encryption algorithms to encrypt data in specified columns.

  • Encryption method: Column encryption supports two methods for managing encryption keys for specified databases: local key and KMS key.

    • Local key: Encryption keys are generated and stored in your local environment.

    • KMS key (Recommended): Use Key Management Service (KMS) to host encryption keys for the specified database. DSC supports using a Customer Master Key that you create and manage in KMS. Key types.

  • Account permissions:

    Accounts are the database accounts from the authorized instances that you have authorized DSC to access.

    Available permissions:

    Permission

    Description

    Ciphertext Permission (JDBC Decryption)

    By default, the account can access ciphertext of encrypted columns. Use an SDK with the always-confidential client driver to decrypt data using a local key or KMS key.

    Ciphertext Permission (No Decryption Permission)

    The account can only access ciphertext. Decryption is not possible by any means.

    Plaintext Permissions

    After column encryption is enabled for a database, the account bypasses encryption and accesses plaintext data in encrypted columns directly.

Quotas and limits

Database type

Version

Encryption algorithm

Encryption method

Permission

ApsaraDB RDS for MySQL

The major engine version is MySQL 5.7 or MySQL 8.0, and the minor engine version is 20240731 or later.

  • AES-128-GCM.

  • AES-256-GCM: Supported only if the minor engine version is 20241231 or later.

  • SM4-128-GCM: Supported only if the minor engine version is 20241231 or later.

  • local key.

  • KMS key: Supported only if the minor engine version is 20241231 or later and the storage type is cloud disk.

  • Ciphertext permission (no decryption permission): Supported only when a local key is used. This is the default permission.

  • Ciphertext permission (JDBC decryption): This is the default permission when a KMS key is used.

  • Plaintext permission.

ApsaraDB RDS for PostgreSQL

The major engine version is PostgreSQL 16, and the minor engine version must be 20241230 or later.

AES-256-GCM.

local key.

  • Ciphertext permission (JDBC decryption) (Default).

  • Plaintext permission.

PolarDB for MySQL

The major engine version is MySQL 5.7 or MySQL 8.0, and the database proxy version must be 2.8.36 or later.

Important

If you configure column encryption policies for a PolarDB for MySQL cluster, you must use a read/write cluster endpoint. Primary endpoints do not support column encryption policies. Configure database proxy and Manage endpoints.

AES-128-GCM.

local key.

PolarDB for PostgreSQL

The major engine version is PostgreSQL 14, and the database version is 2.0.14.15.31.0 or later.

AES-256-GCM.

local key.

PolarDB for PostgreSQL (Oracle Compatible)

Only the Oracle syntax-compatible version 2.0 is supported. The major engine version is PostgreSQL 14, and the database version is 2.0.14.15.31.0 or later.

AES-256-GCM.

local key.

PolarDB-X 2.0

The series must be Enterprise Edition. The database version must be polardb-2.5.0_5.4.20-20250714 or later.

  • AES-128-GCM.

  • AES-256-GCM: Supported only if the database version is polardb-2.5.0_5.4.21-20260414 or later.

  • SM4-128-GCM.

  • local key.

  • KMS key: Supported only if the database version is polardb-2.5.0_5.4.21-20260414 or later.

Billing

DSC provides a free quota for one encrypted column. To encrypt more columns, enable the Column Encryption service and purchase a sufficient number of encrypted columns (subscription-based). Billing.

If you set the encryption method to KMS key, KMS charges apply for key hosting. Product Billing.

Process overview

Column encryption workflow

The following figure shows the column encryption workflow. Configure column encryption for a database.

image

Accessing encrypted data

After column encryption is configured, accounts with ciphertext permission receive only ciphertext when querying encrypted columns. Client-side decryption retrieves the plaintext, ensuring data stays encrypted during transmission.

image

Client usage

Alibaba Cloud provides always-confidential client drivers for Java and Go. Use an account with ciphertext permission (JDBC decryption) to decrypt and access plaintext data in encrypted columns.

Language

Database type

Documentation

Java

  • ApsaraDB RDS for MySQL

  • ApsaraDB RDS for PostgreSQL

  • PolarDB for MySQL

  • PolarDB for PostgreSQL

  • PolarDB for PostgreSQL (Oracle Compatible)

  • PolarDB-X 2.0

Integrate EncJDBC (Supports decryption with a local key and a KMS key)

Go

  • ApsaraDB RDS for MySQL

  • PolarDB for MySQL

  • PolarDB-X 2.0

Integrate GoLang driver (Supports decryption with a local key only)