All Products
Search

This Product

    PolarDB:Use the Confidential Database feature

    Document Center

    PolarDB:Use the Confidential Database feature

    Last Updated:Mar 28, 2026

    The Confidential Database feature protects sensitive columns—such as email addresses and transaction amounts—from being read in plaintext by privileged internal users like database administrators (DBAs) and developers. It encrypts query results in real time at the database proxy layer, so only authorized applications using a specific encryption driver can decrypt the data. Your physical data on disk is not changed; only the results returned to unauthorized clients are encrypted.

    How it works

    When an SQL query matches a configured encryption policy, the database proxy intercepts the result and encrypts the specified fields before returning them to the client.

    Data storage: The feature does not alter how data is physically stored. Data remains in plaintext in operating system (OS) files and on cloud disks.

    User roles and what they see:

    RoleQuery resultsCan decrypt?
    Super administratorAlways plaintextN/A—no encryption applied
    Regular userCiphertextYes, using a supported encryption driver and the correct key
    Other usersCiphertextNo, even with the key

    Limitations and considerations

    • Query-result encryption only: This feature encrypts results at the proxy layer. Data at rest (OS files, cloud disks) remains in plaintext.

    • No filtering on encrypted columns from external clients: Standard MySQL clients querying encrypted fields receive ciphertext, which is not human-readable.

    • Key loss is unrecoverable: If a self-managed key is lost, all data encrypted under that key cannot be decrypted.

    • Super administrator bypasses all policies: Any account designated as a super administrator always receives plaintext regardless of encryption policies. Limit this role carefully.

    Prerequisites

    Before you begin, make sure you have:

    • A PolarDB for MySQL cluster with database proxy version 2.9.12 or later

    Note To check the proxy version, go to Settings and Management > Version Management in the PolarDB console. If your proxy version is between 2.8.18 and 2.9.12, the encryption rule configuration interface is merged with the dynamic data masking feature. Upgrade to 2.9.12 or later for an independent configuration experience.

    Configure on-the-fly encryption

    Configuring on-the-fly encryption involves three steps: setting up a key, defining role permissions, and creating an encryption policy.

    Open the encryption settings

    1. Log on to the PolarDB console. In the left navigation pane, click Clusters. Select the region where your cluster is located, and then click the cluster ID to open the cluster details page.

    2. In the left navigation pane, click Settings and Management > Security, and then click the Encryption tab.

    Step 1: Configure a key

    On the Encryption page, turn on the Key Management switch.

    Use a KMS key (recommended)

    Alibaba Cloud Key Management Service (KMS) hosts your keys, supports automatic key rotation, and limits the blast radius of a leaked AccessKey (AK)—you can disable the AK or tighten the access policy without the key itself being compromised.

    Note Only the Customer Master Key (CMK) type is supported. The Default Key is not supported. For details, see Key Service overview.

    To configure a KMS CMK:

    1. Purchase and enable a KMS instance.

    2. Create a customer master key (CMK).

    3. Return to the PolarDB console, select the CMK you created, and click OK.

    Use a self-managed key

    If you do not configure KMS, the system uses a self-managed key by default. You are responsible for generating, distributing, and storing the key yourself.

    Important

    Self-managed keys are at risk of loss or leakage, and key updates are not currently supported. If a key is lost, the corresponding encrypted data cannot be decrypted. Establish strict security procedures before choosing this option.

    Step 2: Define role permissions

    On the Encryption page, click the Customer Role Permission Settings tab. Role permissions determine whether a database account receives query results in plaintext or ciphertext.

    1. Click Create Role Permission Policy.

    2. In the Role Permission Settings dialog box, configure the following:

      • Policy Name: A unique name for the policy, up to 64 characters long.

      • Super administrator: Select the database accounts that always receive plaintext results. These accounts bypass all encryption policies and are intended for management or audit use only. > Note: Add only the accounts that strictly require plaintext access, and strictly limit their use.

      • Regular user: Select the database accounts that receive ciphertext results. These accounts can decrypt the data using a supported encryption driver and the correct key. > Note: Any database account not listed as a super administrator or regular user is treated as Other users. These accounts receive ciphertext and cannot decrypt it, even with the key.

    3. Click OK.

    image

    Step 3: Create an encryption policy

    On the Encryption page, click the Encryption Policy Settings tab.

    1. Click Create Encryption Policy.

    2. Configure the policy parameters:

      Note Always specify the database, table, and field names when creating a policy. Avoid targeting all databases or all tables to prevent unintended impact on unrelated services.
      ParameterRequiredDescription
      Rule NameYesA unique identifier for the policy, such as encrypt-user-email. Up to 64 characters long.
      Rule DescriptionNoA human-readable description, such as Encrypt the email field in the user table of the customer database. Up to 64 characters long.
      Enable/Disable RuleThe policy is enabled by default on creation. You cannot change this during creation; modify it after creation if needed.
      Associated Permission PolicyYesThe role permission policy defined in Step 2.
      DatabaseNoThe database to which the policy applies. Select All databases (default) or Specify databases. When specifying multiple databases, separate names with a comma (,).
      Table NameNoThe table to which the policy applies. Select All tables (default) or Specify tables. When specifying multiple tables, separate names with a comma (,).
      Field NameYesThe fields to encrypt. Separate multiple field names with a comma (,).
      Encryption AlgorithmYesThe algorithm used for encryption. Supported options: SM4-128-CBC, SM4-128-ECB, SM4-128-GCM, SM4-128-GTR; AES-128-CBC, AES-128-ECB, AES-128-GCM, AES-128-GTR; AES-256-CBC, AES-256-ECB, AES-256-GCM, AES-256-GTR.

    3. Click OK.

    Manage encryption policies

    On the Encryption page, click the Encryption Policy Settings tab to manage existing policies:

    • Modify a policy: Find the target rule and click Modify in the Actions column.

    • Delete a policy: Find the target rule, click Delete in the Actions column, and click OK to confirm.

    • Enable or disable a policy: Find the target rule and click the switch in the Enable/Disable Rule column.

    Harden access with RAM

    To prevent DBAs or developers with console permissions from modifying or deleting encryption policies, use Resource Access Management (RAM) to explicitly deny those actions.

    How it works: Create a RAM deny policy scoped to the two write actions on encryption rules (polardb:ModifyMaskingRules and polardb:DeleteMaskingRules), then attach it to the relevant RAM users. A deny policy takes precedence over any allow policies the user holds.

    Step 1: Create a deny policy

    1. Log on to the RAM console. In the left navigation pane, choose Permission Management > Access Policies, and then click Create Policy.

    2. On the visual editor tab, set the following:

      • Effect: Deny

      • Service: PolarDB

      • Action: Select Specify Action. In the Write section, select polardb:ModifyMaskingRules and polardb:DeleteMaskingRules.

      • Resource and Condition: Specify the scope and conditions for the policy. For details, see Basic elements of an access policy.

    3. Click OK, then set the Policy Name and Note in the Create Policy dialog box.

    Step 2: Attach the policy to RAM users

    1. In the RAM console, choose Identity Management > Users. Find the target RAM user and click Add Permissions in the Actions column.

    2. In the Access Policies section, select the deny policy you created, and click OK.

    Result: When the restricted RAM user attempts to modify or delete an encryption policy, an insufficient-permissions error is returned.

    image

    FAQ

    I configured an encryption policy, but my database client still shows plaintext. Why?

    Check which account you used to connect. If the account is listed as a super administrator, it always receives plaintext results by design. To verify that encryption is working, connect using a regular user account—or any account not in the super administrator list—and query the encrypted field. If the value appears as ciphertext, the proxy layer is encrypting results correctly.

    How do I verify that encryption is working?

    Connect to the database using a standard MySQL client (such as the command line or Navicat) with an account that is not in the super administrator list. Query the encrypted field. If you see ciphertext, this verifies that the query results are being encrypted in real time at the database proxy layer.

    What are the risks of the super administrator role?

    The super administrator role reads plaintext data and completely bypasses encryption protection. Reserve it for specific, time-limited tasks such as data correction, migration, or auditing. Remove the account from the role immediately after the task is complete, and maintain a full audit trail of all operations performed under this role.

    What's next

    After configuring encryption policies, update your application to use an encryption driver that can decrypt the ciphertext results. PolarDB for MySQL supports the EncJDBC driver for Java applications and the GoLang driver for Go applications.