All Products
Search

This Product

    PolarDB:Column encryption

    Document Center

    PolarDB:Column encryption

    Last Updated:Aug 14, 2025

    PolarDB lets you encrypt specific columns for storage. You can use a decryption function to retrieve the original data, which improves data security.

    Note

    The column encryption feature is in a phased release. Its parameters are not yet visible in the console. To use this feature, go to the Quota Center. Find the quota with the Quota ID polardb_mysql_column_encryption, and then click Apply in the Actions column.

    Version requirements

    This feature is supported only on PolarDB for MySQL 8.0.2 clusters running minor version 8.0.2.2.30 or later.

    Background information

    In previous versions, PolarDB for MySQL used encryption functions such as aes_encrypt to encrypt data at the field level. However, this method required the client to manage keys, key rotation, and access permissions. The column encryption feature in PolarDB for MySQL integrates these operations into the database server. You only need to set the encryption property for the columns that you want to encrypt. This feature also supports non-blocking key rotation using Online DDL.

    Precautions

    Performance overhead

    • Write performance

      Using the column encryption feature incurs a performance overhead. When binary logging is disabled, the performance overhead for single-threaded inserts is about 3%. Note that when binary logging is enabled or the table has a large row width, the overhead is lower due to changes in the system I/O pattern and resource allocation.

    • Read performance

      The read performance overhead depends on whether a decryption function is used in the query. A single decryption function in an SQL statement incurs a performance overhead of about 6%.

    Index usage

    Only point queries can use an index for efficient retrieval. Range queries, such as WHERE age>20, and pattern matching queries, such as LIKE '%key%', cannot use an index. These operations result in a full table scan.

    Table property limitations

    • Encryption is not supported for tables that contain virtual columns.

    • Only tables that use the InnoDB storage engine are supported.

    • Partitioned tables are not supported.

    • Encrypted columns must be the varbinary type.

    • The field length must be at least 44 bytes.

    • You cannot add an encrypted column directly. You must convert a standard column into an encrypted column.

    Usage

    Note

    Column encryption and the Transparent Data Encryption (TDE) feature both use Key Management Service (KMS) for key management.

    1. Syntax (access control, DDL, and DML)

    Access control

    To use the column encryption feature, your database account must have the ENCRYPTION_FUN_ADMIN permission. A privileged account can grant this permission.

    -- Grant permission
GRANT ENCRYPTION_FUN_ADMIN ON *.* TO 'testman'@'%';
-- View permissions
SHOW GRANTS;

    DDL

    Create an encrypted column

    Use the ENCRYPTION keyword to specify an encrypted column.

    1. Specify the PAN column as an encrypted column.

      USE mydatabase;
CREATE TABLE IF NOT EXISTS `my_pan` (
    `id` INT NOT NULL AUTO_INCREMENT,
    `pan` VARBINARY(128) NOT NULL ENCRYPTION,
    `desc` blob Default NULL,
    KEY `idx_pan` (`pan`),
    PRIMARY KEY (`id`)
);
      Note

      You can create an encrypted column with a default value of NULL. However, NULL values are not encrypted.

    2. Use the `MODIFY` statement to convert a standard column to an encrypted column or vice versa.

      ALTER TABLE my_pan modify `pan` VARBINARY(128) ENCRYPTION;
ALTER TABLE my_pan modify `pan` VARBINARY(128) NOT ENCRYPTION;
      Note

      You cannot directly add an encrypted column. You must use the `MODIFY` statement to change a standard column.

    Build an index

    You can also build an index on an encrypted column. The syntax is the same as for a standard column. For example:

    CREATE index idx_pan ON my_pan(pan);
    Note

    The data in the index is encrypted. The index itself is sorted by the encrypted values.

    DML

    The following section describes the two encryption and decryption functions:

    -- Encryption function
enhanced_aes_encrypt(data, db_name, table_name)

-- Decryption function
enhanced_aes_decrypt(data)

    Insert data

    Data inserted into an encrypted column is automatically encrypted. You do not need to use the `enhanced_aes_encrypt` function.

    INSERT INTO `my_pan` VALUES(1,"my_passwd", "aaa");

    Query data

    # 1. Point query without an index (range query)
SELECT id,enhanced_aes_decrypt(pan) FROM `my_pan` WHERE enhanced_aes_decrypt(pan) = 'my_password_10';

# 2. Point query using an index. The retrieved data is in plaintext.
SELECT id,enhanced_aes_decrypt(pan) FROM `my_pan` WHERE pan = enhanced_aes_encrypt('my_password_10', "mydatabase", "my_pan");

# 3. Point query using an index. The retrieved data is in ciphertext.
SELECT id, pan FROM `my_pan` WHERE pan = enhanced_aes_encrypt('my_password_10', "mydatabase", "my_pan");

    Update data

    # Update data using the primary key index.
UPDATE `my_pan` SET pan='new6-password', DESC='Senior6' WHERE id = 1;

# Update data using the encrypted column index.
UPDATE `my_pan` SET pan='new6-password', DESC='Senior6' WHERE pan=enhanced_aes_encrypt('my_password_6', "mydatabase", "my_pan");

    Delete data

    # Delete data using the primary key index.
DELETE FROM `my_pan` WHERE id = 1;

# Delete data using the encrypted column index.
DELETE FROM `my_pan` WHERE pan = enhanced_aes_encrypt('my_password_2', "mydatabase", "my_pan");

    2. Key management

    1. Authorize PolarDB to access KMS.

    2. Enable the TDE feature.

      Important

      • Enabling TDE causes the PolarDB cluster to restart. Perform this operation with caution.

      • After TDE is enabled, it cannot be disabled.

      • Enabling the TDE feature itself does not incur additional performance overhead for non-TDE tables or tables that do not use column encryption.

      1. Log on to the PolarDB console. In the navigation pane on the left, click Clusters. Select the region of the cluster, and then click the cluster ID.

      2. In the navigation pane on the left, click Settings and Management Security.

      3. On the TDE Settings tab, turn on TDE Status and specify a custom key.

        Note

        Before you delete a key in KMS, confirm that the key is disassociated from all encrypted tables. This includes historical versions. Otherwise, the PolarDB cluster may become unavailable after a restart.

        image.png

    3. Select a key.

      Note

      You can select Use an existing custom key or Select a key in the pop-up window. Keys can be generated by the KMS service.

      image.png

    4. (Optional) Key rotation.

      Note

      • PolarDB does not automatically update the master key version of custom keys. You can update the key version manually. For more information, see Key rotation.

      • After key rotation, new encrypted tables use the new key for encryption. The data in existing encrypted tables remains encrypted with the original key.

      • Data rotation decrypts the data in a table and then re-encrypts it with the latest key version. Note that this operation consumes CPU and I/O resources. Data rotation is not mandatory, but you must ensure that all keys used by the data tables remain available.

      • Table locking during data rotation

        • If the Online Copy feature is not enabled, the table is locked during data rotation.

        • If the Online Copy DDL feature is enabled, the table is not locked during data rotation. Concurrent DML operations are allowed, but concurrent DDL operations are not allowed.

      To re-encrypt existing tables with a new key, run the following data rotation command:

      ALTER TABLE <table_name> engine = innodb,algorithm=copy;

    5. Query table keys.

      You can run the following SQL statement to query the key usage for all encrypted tables in the system.

      SELECT * FROM information_schema.INNODB_COLUMN_ENCRYPTED_TABLE;

    3. Parameter settings

    You can enable the column encryption feature by setting the loose_polar_enable_column_encryption parameter. For more information, see Set cluster and node parameters. The following table describes this parameter.

    Parameter

    Description

    loose_polar_enable_column_encryption

    Controls whether to enable the column encryption feature. Valid values:

    • ON: Enables the column encryption feature.

    • OFF (Default): Disables the column encryption feature.

    4. (Optional) Enable the Online Copy feature

    When you use the `COPY` DDL syntax for data rotation, such as modifying table definitions across engines, adjusting column properties, or converting between standard and partitioned tables, the table is locked by default. This can block your services. To resolve this issue, you can enable the Online Copy optimization feature. This feature lets you change the table schema with no locks or with minimal locks. The following table describes the related parameters.

    Parameter

    Description

    loose_polar_support_online_copy_ddl_algorithm

    The primary switch for Online Copy DDL. Valid values:

    • ON: Enables the Online Copy DDL feature.

    • OFF (Default): Disables the Online Copy DDL feature.

    loose_polar_support_online_copy_ddl_algorithm_for_modify

    Allows data rotation to use the Modify statement. You must set this parameter. Valid values:

    • ON: Enables the Online feature for Modify Column statements.

    • OFF (Default): Disables the Online feature for Modify Column statements.