PolarDB for MySQL supports three complementary encryption methods: disk encryption, Transparent Data Encryption (TDE), and column encryption. Each method protects data at a different layer and blocks a different set of attackers. This topic helps you choose the right method—or combination—for your security requirements.
How the three methods differ
The most useful lens for choosing an encryption method is who you're blocking, not what layer the technology operates at.
| Disk encryption | TDE | Column encryption | |
|---|---|---|---|
| Protects against | IaaS-level attackers (physical access to disks) | PaaS- and IaaS-level attackers (OS and disk access) | Application-level, network, and admin-level attackers |
| Encryption type | Encryption at rest (disk layer) | Encryption at rest (file system layer) | Encryption in use (query results in memory) |
| Encryption granularity | Cluster (all data on the disk) | Database and table | Column |
| Visible to DBA | Yes | Yes | No |
| Visible to OS admin (PaaS) | Yes | No | Yes |
| Visible to platform engineer (IaaS) | No | No | Yes |
| Application changes required | None | None | Replace JDBC driver with EncJDBC (no code changes) |
| Typical performance impact | Negligible to slight | Less than 5% in most cases; up to 20% under heavy load | Less than 7% in most cases; up to 21% under heavy load |
You can combine all three methods. Column encryption combined with TDE provides end-to-end encryption for data in transit and at rest.
Encryption methods
Disk encryption (encryption at rest — IaaS layer)
Disk encryption operates at the Infrastructure as a Service (IaaS) layer. When you create a cloud disk with an ECS instance, or separately attach a data disk, enabling encryption causes the ECS operating system (OS) to automatically encrypt data before writing it to the disk and decrypt it on read. The process is transparent to the database and to applications.
Disk encryption protects against attackers who gain physical access to the underlying hardware—for example, a platform engineer who copies data directly from a cloud disk. It does not protect against database administrators (DBAs) or OS admins, who access data through the database engine or file system.
For configuration details, see Cloud disk encryption.
TDE (encryption at rest — PaaS layer)
Transparent Data Encryption (TDE) operates at the Platform as a Service (PaaS) layer. The database engine encrypts data in memory before writing it to the file system, and decrypts it on read. Data at rest in OS files and on disk is always ciphertext; data in the database engine's memory remains plaintext.
TDE extends disk encryption's protection upward: it also blocks OS admins from reading data by copying database files or backup files from disk. DBAs who access data through the database engine can still see plaintext.
Performance notes:
The primary factors are the sizes of the databases and tables being encrypted, database configuration, and application load.
If sensitive table sizes fit within the buffer cache, performance impact is minimal. If sensitive tables greatly exceed cache capacity, impact can be significant.
In most workloads, the impact is under 5%. Under extremely heavy load, it can reach 20%.
For configuration details, see Configure TDE.
Column encryption (encryption in use — application layer)
Column encryption is the basic edition of the always-confidential database feature. It encrypts query results inside the database engine's memory before sending them to the client. The client decrypts the results using the encryption key. Data travels between the database and application as ciphertext; data stored on disk and in OS files remains plaintext.
This method blocks the widest range of attackers: application-layer intrusions, network interception, database admin access, and attacks on development or test copies of production data. It is well suited for protecting specific sensitive columns such as payment card numbers or national ID numbers.
Application integration: Replace the standard Java Database Connectivity (JDBC) driver with EncJDBC. No code changes are required.
Performance notes:
Performance impact scales with the volume of encrypted data returned per query, not with overall table or database size. Retrieving a single encrypted row has minimal impact; returning one million encrypted rows can have significant impact.
In most workloads, the impact is under 7%. Under extremely heavy load, it can reach 21%.
For an overview of the always-confidential database feature, see Overview.
Threat landscape
The following table maps common database attack types to the encryption methods that mitigate them.
| Attack type | Description | Mitigated by |
|---|---|---|
| Attack admins | Targets DBAs, OS admins, or platform engineers who hold elevated permissions. A compromised admin account can expose all data accessible at that privilege level. | Column encryption (blocks DBA access); TDE (blocks OS admin access); disk encryption (blocks IaaS-level access) |
| Attack users | Targets database users through credential theft or SQL injection to escalate privileges. | Column encryption |
| Attack apps | Targets application servers, which have a larger attack surface than the database itself. | Column encryption |
| Attack network | Intercepts data in transit between the application and database. | Column encryption |
| Bypass database | Bypasses the database engine by copying database files or backup files directly from disk. | TDE, disk encryption |
| Bypass OS | Bypasses the file system by copying data directly from cloud disks. | Disk encryption |
| Exploit database | Exploits code bugs or vulnerabilities in the database engine to gain unauthorized access. | Database OS vulnerabilities |
| Target data copies | Attacks development or test databases that contain copies of production data but have weaker controls. | Column encryption |
For more background on database attack vectors, see Oracle's Maximum Security Architecture for Database Security.
How encryption works in the system architecture
Architecture overview
The following diagram shows where each encryption method takes effect in the system stack.
Disk encryption takes effect at the OS layer of the ECS instance and its host, encrypting and decrypting OS files. It applies to all clusters whose cloud disks reside on that host.
TDE takes effect at the cluster level, encrypting and decrypting cached database files. It applies to individual clusters.
Column encryption takes effect at the cluster level, encrypting query results in the database engine's memory before returning ciphertext to the connected application. It applies to individual clusters.
Data states by encryption method
The following diagram shows where data is ciphertext versus plaintext under each method.
Disk encryption: ciphertext on disk; plaintext in OS files and in the database.
TDE: ciphertext on disk and in OS files; plaintext in the database.
Column encryption: ciphertext in databases (except in the engine); plaintext in OS files and on disk. Data is running in ciphertext and stored in plaintext.
Combining column encryption with TDE provides end-to-end data protection—data is encrypted in use (column encryption) and encrypted at rest in both the file system and on disk (TDE).
Differences at a glance
| Attribute | Disk encryption | TDE | Column encryption |
|---|---|---|---|
| Effective scope | OS | Database engine | Database engine |
| Encryption scope | Host or ECS instance | Cluster | Cluster |
| Encryption granularity | Cluster | Database and table | Column |
| Application awareness | Transparent | Transparent | Requires EncJDBC driver (no code changes) |
Choose an encryption method
Use the following guidance to select the right method for your scenario:
Disk encryption only — Sufficient if your primary concern is physical hardware access (IaaS-level attackers) and you have no compliance requirements beyond that layer.
TDE — Add TDE if you need to block OS admins from accessing database files directly.
Column encryption — Add column encryption if your threat model includes insider threats at the DBA level, network interception, or application-layer breaches, or if compliance requirements mandate that specific sensitive columns (such as payment card data or national IDs) remain encrypted even during query processing.
TDE + column encryption — Use both when you need end-to-end encryption covering data at rest in files, in transit between the database and application, and during query processing.
Disk encryption, TDE, and column encryption can be used in combination. Enabling all three provides the broadest protection across IaaS, PaaS, and application layers.