After completing the classification and grading of sensitive data in authorized ApsaraDB RDS (MySQL or PostgreSQL) and PolarDB (MySQL or PostgreSQL) databases, you can use the column encryption feature provided by Data Security Center (DSC) to further protect sensitive column data against unauthorized access. This feature ensures that plaintext data cannot be directly viewed through cloud platform software or database tools.
Benefits
Data available but invisible : Keeps encrypted data available in databases. However, only authorized users can decrypt and view the encrypted data.
Enhanced security : Effectively defends against internal and external security threats to ensure data security.
Enhanced private asset protection : Makes your cloud data truly private assets and prevents unauthorized access.
Column encryption helps you meet compliance requirements and significantly improves the security of sensitive data.
Feature description
The column encryption feature of DSC includes encryption settings and account permission management. Encryption settings define encryption algorithms and the scope of instances, databases, tables, and columns for encryption. Account permission management is used to control access of database accounts to all encrypted column data.
How it works
Encryption algorithm: The column encryption feature uses industry-standard AES-128-GCM and AES-256-GCM encryption algorithms to encrypt specified column data.
Encryption method: The column encryption feature uses local keys and KMS keys to manage keys of specified databases.
Local keys: encryption keys that are generated and stored in the local environment.
KMS keys (recommended): encryption keys that are managed in Key Management Service (KMS) for specified databases. DSC supports customer master keys (CMK) that you create or manage in KMS. For more information, see Key management types.
Account permission description:
Database accounts indicate the ApsaraDB RDS for MySQL, ApsaraDB RDS for PostgreSQL, PolarDB for PostgreSQL, and PolarDB for MySQL database accounts that DSC is authorized to access.
The following table describes the permissions.
Permission
Description
Ciphertext permission (JDBC decryption)
Allows accounts to access the ciphertext data of encrypted columns. The accounts can use an SDK to decrypt ciphertext data with KMS keys or local keys to view plaintext data.
Ciphertext permission (No decryption permission)
Allows accounts to access only the ciphertext data of encrypted columns. The accounts cannot decrypt ciphertext data to view plaintext data.
Plaintext permission
Allows accounts to access the plaintext data of encrypted columns in the databases for which the column encryption is enabled.
Database encryption limits
Supported database type | Supported version | Supported encryption algorithm | Supported encryption method | Supported permission |
ApsaraDB RDS for MySQL | The major engine version is MySQL 5.7 or MySQL 8.0. The minor engine version is greater than or equal to 20240731. |
|
|
|
ApsaraDB RDS for PostgreSQL | The major engine version is PostgreSQL 16. The minor engine version must be greater than or equal to 20241230. | AES-256-GCM. | Local keys. |
|
PolarDB for MySQL | The major engine version is MySQL 5.7 or MySQL 8.0. The database proxy version must be greater than or equal to 2.8.36. Important If you configure column encryption policies for a PolarDB for MySQL cluster, you must use a cluster endpoint to connect to the cluster in read/write mode. If you use a primary endpoint, column encryption policies do not take effect. For more information, see Configure database proxy and Manage endpoints. | AES-128-GCM. | Local keys. | |
PolarDB for PostgreSQL | The major engine version is PostgreSQL 14. The minor engine version must be greater than or equal to 2.0.14.15.31.0. | AES-256-GCM | Local keys. |
Billing rules
The column encryption feature allows you to encrypt one column for free. To encrypt more columns, you must enable column encryption and purchase a sufficient quota of columns based on the subscription billing method. For more information, see Billing overview.
If the Encryption Method parameter is set to KMS Key, you are charged for key management and the fee is included in the KMS bills. For more information, see Product Billing.
Process overview
Configure column encryption
The following figure shows the process for configuring column encryption for a database. For more information, see Configure column encryption for a database.
Access encrypted column data
After you configure column encryption and use a database account with the ciphertext permission to query encrypted columns, the database returns ciphertext data. The encrypted data is decrypted to plaintext only on the client side. This ensures that the data remains encrypted during transmission outside the database and application clients.
Client usage
Alibaba Cloud provides always-confidential client drivers written in Java and Go to enable access to the plaintext data of encrypted columns in databases. You must use a database account that has the ciphertext permission (JDBC decryption) to log on to the required database to view the plaintext data of encrypted columns.
Programming language | Supported database type | References |
Java |
| Integrate EncJDBC (Support for decryption with local keys and KMS keys) |
Go |
| Integrate GoLang driver (Support for decryption with local keys only) |