How to integrate the Go driver - PolarDB - Alibaba Cloud Documentation Center

You can use the alibabacloud-encdb-mysql-go-client confidential client driver to connect a Go application to a confidential database. This lets you use the always-confidential feature to encrypt data columns in a database table. This topic describes how to use the Go driver to access a confidential database.

The alibabacloud-encdb-mysql-go-client driver automatically decrypts ciphertext and returns plaintext data when provided with the required user key. This process is transparent to your application. You can connect your application to a confidential database by configuring only a few lines of code. This reduces the cost of using the always-confidential feature.

Prerequisites

Ensure that the always-confidential feature is enabled and that encryption rules are configured as needed. For more information about enabling the always-confidential feature, see Enable the always-confidential feature.
You have the connection information for the encrypted database: the domain name (host), port, database name (dbname), username, and password.
A Go program is deployed, and the Go version is 1.18 or later.

Procedure

Get the confidential database Go driver

go get github.com/aliyun/alibabacloud-encdb-mysql-go-client@latest

Note

The alibabacloud-encdb-mysql-go-client driver is fully compatible with the community edition of the Go MySQL driver and supports the standard Go database/sql/driver interface. This lets you integrate the driver without modifying your application code.
The driver is open source on GitHub. For more information, see https://github.com/aliyun/alibabacloud-encdb-mysql-go-client.

Query data from the confidential client

You can use alibabacloud-encdb-mysql-go-client in the same way that you use the Go MySQL driver. First, you must configure the Master Key (MEK) and encryption algorithm (ENC_ALGO) parameters. PolarDB supports embedding parameters in a URL, as follows:

mek := ...
encAlgo := ...

db, err := sql.Open("encmysql", "<username>:<password>@tcp(<hostname>:<port>)/<dbname>?MEK=<mek>&ENC_ALGO=<encAlgo>")
if err != nil {
 panic(err)
}

Note

To configure multiple parameters in a URL, separate them with an ampersand (&).
The MEK is processed on the local client and protected by envelope encryption before it is sent to the server. This ensures that the MEK is not exposed.

The following table describes the MEK and ENC_ALGO parameters and provides examples.

Parameter

Description

Example

MEK

The customer master key (CMK). You specify this key.

Common generation methods: Use a password generation tool, such as openssl or `openssl rand -hex 16`. You can also use the random function in a programming language or obtain a key from a third-party Key Management Service (KMS).

Value range: A 16-byte hexadecimal string, which is 32 characters long.

Important

The customer master key is the root credential to access encrypted data. For security reasons, the confidential database does not hold or manage your master key. It also does not provide a service to generate or back up your master key. You must generate the master key yourself. If you lose the key, you can no longer access your existing data. Therefore, back up your customer master key securely.

00112233445566778899aabbccddeeff

ENC_ALGO

The encryption algorithm used for the protected data. It supports two main categories: Advanced Encryption Standard (AES) and the SM4 Chinese cryptographic algorithm. Specific algorithms include the following:

SM4_128_GCM (default)
SM4_128_CTR
SM4_128_CBC
SM4_128_ECB (not recommended)
AES_128_GCM
AES_128_CTR
AES_128_CBC
AES_128_ECB (not recommended)

Note

The AES_128_ECB and SM4_128_ECB encryption algorithms are less secure. Use them with caution.

SM4_128_CBC

Example

This example uses a new demo project created with `go mod init demo` to demonstrate how to use alibabacloud-encdb-mysql-go-client.

package main

import (
 "database/sql"
 "fmt"
 _ "github.com/aliyun/alibabacloud-encdb-mysql-go-client"
)

func main() {
 
 db, err := sql.Open("encmysql", "<username>:<password>@tcp(<hostname>:<port>)/<dbname>?MEK=00112233445566778899aabbccddeeff&ENC_ALGO=SM4_128_CBC")
 if err != nil {
 panic(err)
 }
 _, err = db.Exec("DROP TABLE IF EXISTS test")
 if err != nil {
 panic(err)
 }
 _, err = db.Exec(`create table test(a int, b text, c float)`)
 if err != nil {
 panic(err)
 }
 _, err = db.Exec(`insert into test set a = 0, b = 'test', c = 0.0`)
 if err != nil {
 panic(err)
 }
 rows, err := db.Query("SELECT * FROM test")
 rows.Next()
 var a int
 var b string
 var c float32

 err = rows.Scan(&a, &b, &c)
 fmt.Printf("read data: %d %s %f\n", a, b, c)
}

Replace the placeholder connection information in the example, such as the domain name (hostname), port, database name (dbname), username, and password, with the actual information for your cluster. After you run the code, the system returns a decrypted result similar to the following:

read data: 0 test 0.000000