Data Security Center:Configure database column encryption

Step 1: Authorize DSC to access cloud resources

1. Log on to the DSC console.

2. In the RAM Authorization dialog box, click Authorize Now.

DSC can then access resources from services such as OSS, RDS, and MaxCompute.

Step 2: Sync database assets

1. In the left navigation pane, click Asset Center.

2. On the Asset Center page, click Asset synchronization.

After you purchase a DSC instance, asset synchronization runs automatically the first time you log on. DSC also syncs the asset list automatically at midnight every day.

Step 3: Connect the database and run data classification

DSC must complete a data classification scan before you can enable column encryption. Connect the database using one of two methods:

To connect a database and start classification:

1. In the left navigation pane, click Asset Center.

2. In the Structured Data area, click the database type you want to encrypt.

3. In the Classification and Grading column of the target instance, click .

   The instance status must be Running and at least one database must exist in the instance. If no database exists, you cannot enable the data classification feature.

   

4. In the Enable Classification and Grading dialog box, configure the parameters:

   Parameter	Description
   Activation Method	Choose Automatically create database accounts to let DSC create a read-only sddp_auto account, or Manually enter username and password to provide your own credentials. Automatic creation is available only for data types that support one-click enablement.
   Authorization Scope	Select Entire data source, or select Manage authorization scope in the data source list to specify which databases to include.
   Automatically create and start a default scan task	DSC creates and starts a default scan task after the connection succeeds. View results on the Classification and Grading > Tasks > Identification Tasks tab under Default Tasks.
   Automatically connect to new databases.	DSC automatically connects to new databases detected in the instance after each asset sync.

5. Click OK.

Step 4: Review database encryption status

After classification completes, review the encryption readiness of each database instance.

1. In the left navigation pane, choose Risk Governance > Column Encryption.

2. On the Column Encryption page, review the following information:

   Field	Description
   Columns	Total number of columns across all connected database instances.
   Sensitive Data (S3 and Higher)	Columns classified at sensitivity level S3 or above, broken down by encrypted, unencrypted, and failed.
   Accounts	Total Accounts: each account per database counts separately. Accounts For Which No Encryption Configured: accounts with no encryption policy set. Plaintext Permission and Ciphertext Permission counts: accounts with each permission type. Click any count or click Permission Settings to view full account details.
   List information	Instance name, asset type, region, encryption algorithm, plaintext permission accounts, and Encryption Check result.

   Sensitivity level reference:

   Level	Meaning
   N/A	No sensitive information detected
   S1	Non-sensitive (examples: provinces, cities, product names)
   S2	Moderately sensitive (examples: names, addresses)
   S3	Highly sensitive (examples: identity documents, passwords, database credentials)
   S4	Core confidential (examples: biometric data such as genes, fingerprints, iris scans)

   

3. Check the Encryption Check column for each instance:

   • Passed: the instance is ready for column encryption configuration.

   • Failed: the database version is incompatible. Click Go To Upgrade to open the upgrade page in the RDS or PolarDB console. After upgrading, sync assets again: go to Asset Center, on the Authorization Management tab, click Asset Authorization Management. In the Asset Authorization Management panel, click the target instance type (RDS or PolarDB), and then click Asset synchronization.

Step 5: Enable column encryption

After confirming that the Encryption Check status is Passed, configure column encryption.

Enable encryption with Rapid Encryption

Use one of these three entry points to open the Encryption Configuration panel:

• Click Rapid Encryption above the database instance list to encrypt all unencrypted columns across all instances.

• In the Actions column for a specific instance, click Rapid Encryption.

  

• On the Asset Center page, click in the Column Encryption column for the target instance.

  

• Authorize access to a database

In the Encryption Configuration panel, select the Asset Type, Instance name, Encryption Algorithm, Encryption Method, and Plaintext Permission Accounts. Then select the target Databases, Table, and Column, and click OK.

Encryption method notes:

• If you select KMS Key, first create a symmetric key in Key Management Service (KMS).

  

• > Important: Changing the encryption method after it is set causes DSC to restart the encryption task. During the restart, data in the encrypted columns is temporarily stored in plaintext. Finalize your encryption method before enabling encryption.

Plaintext Permission Accounts notes:

After you enable encryption, all database accounts default to ciphertext permission. To allow specific accounts to read plaintext directly, add them to the plaintext permission allowlist.

Important

The DSC service account — either sddp_auto (one-click connection) or the account you provided (credential-based connection) — must have Plaintext Permission so that DSC can continue to read the latest data for classification scans.

Modify account permissions

By default, all accounts except those explicitly granted Plaintext Permission have ciphertext permission. To change permissions:

1. On the Risk Governance > Column Encryption page, click Permission Settings in the Accounts area. Alternatively, click Edit in the Actions column for the instance, then click Configure next to Account Permissions.

2. In the Permission Settings panel, find the target instance and account.

   If a new account does not appear in the list, run Asset synchronization and check again.

3. In the Actions column for the account, click Modify Permissions. To update multiple accounts at once, select accounts with the same current permission and click Batch Modify Permissions.

4. Select the target permission and click OK.

Available permissions: Plaintext Permission, Ciphertext Permission (No Decryption Permission), or Ciphertext Permission (JDBC Decryption).

Update the encrypted column scope or algorithm

After encryption is configured, you can adjust the scope or algorithm.

• To toggle encryption for a single column: in the instance list, expand the instance, locate the Databases, Table, and Column, then click Enable Encryption or Disable Encryption.

  

• To update the algorithm, method, or encrypted column scope: in the Actions column for the instance, click Edit.

  • Click Modify next to Encryption Algorithm or Encryption Method to update the setting.

  • > Important: Changing the encryption method restarts the encryption task. During the restart, data in the encrypted columns is temporarily stored in plaintext. Proceed with caution.

  • In the database list, locate the target Databases, Table, and Column, and click Enable Encryption or Disable Encryption.