Column encryption lets you store specific columns in encrypted form and retrieve the original data using a built-in decryption function. Unlike field-level encryption with aes_encrypt, column encryption manages keys on the database server — so even users with direct database access cannot read the encrypted values without explicitly calling the decryption function. This provides a clear separation between those who own the data and those who operate the database.
Column encryption is in a phased release. Its parameters are not yet visible in the console. To use this feature, go to Quota Center. Find the quota with the Quota ID polardb_mysql_column_encryption, and then click Apply in the Actions column.Version requirements
Supported on PolarDB for MySQL 8.0.2 clusters running minor version 8.0.2.2.30 or later.
Limitations
Review these limitations before enabling column encryption to confirm the feature fits your use case.
Performance overhead
| Operation | Overhead | Condition |
|---|---|---|
| Single-threaded inserts (write) | ~3% | Binary logging disabled |
| Single-threaded inserts (write) | Lower than 3% | Binary logging enabled, or table has large row width |
| Decryption per SQL statement (read) | ~6% | One enhanced_aes_decrypt call per statement |
Index usage
The index on an encrypted column sorts by ciphertext, not plaintext. Because comparisons in the encrypted value space are meaningless for ranges, only point queries (equality comparisons) can use the index. Range queries such as WHERE age > 20 and pattern matching such as LIKE '%key%' cannot use the index and result in a full table scan.
If your queries require range comparisons on a sensitive column, consider applying encryption at the application layer instead, where you have more control over the query logic.
Table property limitations
Tables with virtual columns are not supported.
Only the InnoDB storage engine is supported.
Partitioned tables are not supported.
Encrypted columns must use the
VARBINARYtype.The field length must be at least 44 bytes.
You cannot add an encrypted column directly with
ADD COLUMN. UseMODIFYto convert an existing standard column to an encrypted column.
Set up column encryption
Setting up column encryption involves four steps:
Authorize PolarDB to access KMS — grants the database server permission to use Key Management Service (KMS) for key operations.
Enable Transparent Data Encryption (TDE) — column encryption shares the KMS integration with TDE.
Enable the column encryption parameter — turns on the feature at the cluster level.
Grant the required privilege — your database account must have the
ENCRYPTION_FUN_ADMINprivilege.
Step 1: Authorize PolarDB to access KMS
Authorize PolarDB to access KMS before proceeding.
Step 2: Enable TDE
Column encryption uses TDE for key management. Enable TDE in the PolarDB console.
Enabling TDE restarts the PolarDB cluster. Plan for downtime before proceeding.
TDE cannot be disabled after it is enabled.
Enabling TDE itself does not incur additional performance overhead for non-TDE tables or tables that do not use column encryption.
Log on to the PolarDB console. In the left navigation pane, click Clusters. Select the cluster region and click the cluster ID.
In the left navigation pane, click Settings and Management > Security.
On the TDE Settings tab, turn on TDE Status and specify a custom key.

Select a key. Choose Use an existing custom key or Select a key in the pop-up window. Keys can be generated by KMS.

Before deleting a key in KMS, confirm that it is disassociated from all encrypted tables, including historical versions. Otherwise, the PolarDB cluster may become unavailable after a restart.
Step 3: Enable the column encryption parameter
Set the loose_polar_enable_column_encryption parameter to ON. For instructions, see Set cluster and node parameters.
| Parameter | Default | Description |
|---|---|---|
loose_polar_enable_column_encryption | OFF | Enables or disables column encryption. Set to ON to enable. |
Step 4: Grant the required privilege
Your database account must have the ENCRYPTION_FUN_ADMIN privilege to use column encryption functions. A privileged account can grant this privilege.
-- Grant the privilege
GRANT ENCRYPTION_FUN_ADMIN ON *.* TO 'testman'@'%';
-- Verify the privilege
SHOW GRANTS;Define and use encrypted columns
Create a table with an encrypted column
Use the ENCRYPTION keyword to mark a column as encrypted.
USE mydatabase;
CREATE TABLE IF NOT EXISTS `my_pan` (
`id` INT NOT NULL AUTO_INCREMENT,
`pan` VARBINARY(128) NOT NULL ENCRYPTION,
`desc` blob Default NULL,
KEY `idx_pan` (`pan`),
PRIMARY KEY (`id`)
);A column with a default value ofNULLcan be encrypted, butNULLvalues are not encrypted.
Convert an existing column
Use MODIFY to convert a standard column to an encrypted column, or to remove encryption:
-- Convert to encrypted
ALTER TABLE my_pan MODIFY `pan` VARBINARY(128) ENCRYPTION;
-- Remove encryption
ALTER TABLE my_pan MODIFY `pan` VARBINARY(128) NOT ENCRYPTION;Build an index on an encrypted column
The syntax is the same as for a standard column. Index data is stored as ciphertext and sorted by encrypted values.
CREATE INDEX idx_pan ON my_pan(pan);Insert data
Data inserted into an encrypted column is automatically encrypted. Calling enhanced_aes_encrypt on insert is not required.
INSERT INTO `my_pan` VALUES(1, "my_passwd", "aaa");Query data
The two functions for encryption and decryption are:
-- Encrypt a value (for use in WHERE clauses)
enhanced_aes_encrypt(data, db_name, table_name)
-- Decrypt a value (for use in SELECT or WHERE clauses)
enhanced_aes_decrypt(data)Three common query patterns:
-- 1. Point query without index (range query style): decrypts every row, full table scan
SELECT id, enhanced_aes_decrypt(pan) FROM `my_pan`
WHERE enhanced_aes_decrypt(pan) = 'my_password_10';
-- 2. Point query using index, returns plaintext
SELECT id, enhanced_aes_decrypt(pan) FROM `my_pan`
WHERE pan = enhanced_aes_encrypt('my_password_10', "mydatabase", "my_pan");
-- 3. Point query using index, returns ciphertext
SELECT id, pan FROM `my_pan`
WHERE pan = enhanced_aes_encrypt('my_password_10', "mydatabase", "my_pan");Update and delete data
-- Update using the primary key index
UPDATE `my_pan` SET pan = 'new6-password', DESC = 'Senior6' WHERE id = 1;
-- Update using the encrypted column index
UPDATE `my_pan` SET pan = 'new6-password', DESC = 'Senior6'
WHERE pan = enhanced_aes_encrypt('my_password_6', "mydatabase", "my_pan");
-- Delete using the primary key index
DELETE FROM `my_pan` WHERE id = 1;
-- Delete using the encrypted column index
DELETE FROM `my_pan`
WHERE pan = enhanced_aes_encrypt('my_password_2', "mydatabase", "my_pan");Manage keys
View key usage
Run the following statement to view the key in use for all encrypted tables:
SELECT * FROM information_schema.INNODB_COLUMN_ENCRYPTED_TABLE;Rotate keys
PolarDB does not automatically update the master key version for custom keys. To rotate a key manually, see Key rotation.
After key rotation:
New encrypted tables use the new key.
Existing encrypted tables remain encrypted with the original key.
Re-encrypt existing tables
Data rotation re-encrypts all data in a table using the latest key version. This operation consumes CPU and I/O resources and is not mandatory — but all keys used by existing data tables must remain available.
ALTER TABLE <table_name> ENGINE = innodb, ALGORITHM = COPY;By default, ALGORITHM = COPY locks the table during data rotation. To avoid service interruption, enable the Online Copy feature (see Enable Online Copy).
Locking behavior during data rotation:
| Online Copy DDL status | Locking behavior |
|---|---|
| Disabled (default) | Table is locked during data rotation |
| Enabled | Table is not locked; concurrent DML allowed, concurrent DDL not allowed |
Enable Online Copy (optional)
When using ALGORITHM=COPY for data rotation or other schema changes, the table is locked by default, which can interrupt services. Enable the Online Copy DDL feature to perform these operations with no locks or minimal locks.
| Parameter | Default | Description |
|---|---|---|
loose_polar_support_online_copy_ddl_algorithm | OFF | Primary switch for Online Copy DDL. Set to ON to enable. |
loose_polar_support_online_copy_ddl_algorithm_for_modify | OFF | Allows data rotation using the MODIFY statement. Set to ON to enable. Both parameters must be set together. |