All Products
Search

This Product

    PolarDB:Use PolarDB Always-confidential

    Document Center

    PolarDB:Use PolarDB Always-confidential

    Last Updated:Nov 24, 2025

    High-privilege roles, such as database administrators (DBAs) and developers, may access sensitive data such as user identities and transaction records during database maintenance. This poses a risk of data breaches. The PolarDB Always-confidential feature for PolarDB for MySQL encrypts query results in real time at the database proxy layer. This ensures that only authorized applications that use a specific driver can decrypt and access sensitive data. You can use this feature to protect sensitive data and meet compliance requirements with only minor changes to your application code.

    How it works

    The PolarDB Always-confidential feature works at the database proxy layer. When an SQL query matches a configured encryption policy, the proxy layer encrypts the data in specified fields before returning the query results to the client.

    • Data storage: This feature does not change the physical storage state of data in the database. The data remains in plaintext in operating system (OS) files and on disks.

    • User perspectives:

      • Super administrator: Query results are always in plaintext and are not affected by encryption policies. This facilitates database management.

      • Regular user: Query results are returned as ciphertext. You must use specific encryption drivers (such as the EncJDBC driver and the GoLang driver) and the correct key to decrypt the data on the client.

      • Other users: Query results are in ciphertext and cannot be decrypted, even with the key.

    Scope

    The database proxy version of your PolarDB for MySQL cluster must be 2.9.12 or later.

    Note

    • View the version: You can view the database proxy version of your cluster on the Settings and Management > Version Management page.

    • Version compatibility: If the database proxy version is lower than 2.9.12 but higher than 2.8.18, the configuration interface for encryption rules is merged with the dynamic data masking feature. For the best experience and feature independence, we recommend that you upgrade to version 2.9.12 or a later version.

    Configure on-the-fly encryption

    Configuring on-the-fly encryption involves three main steps: configuring a key, defining role permissions, and creating an encryption policy.

    Procedure

    1. Go to the PolarDB console. In the navigation pane on the left, click Clusters. Select the region where your cluster is located, and then click the ID of the target cluster.

    2. In the navigation pane on the left, click Settings and Management > Security, and then click the Encryption tab.

    Step 1: Configure a key

    On the Encryption page, turn on the Key Management switch to configure a key for application-side encryption and decryption.

    Use a KMS key (Recommended)

    Alibaba Cloud Key Management Service (KMS) lets you host your keys, supports key rotation (automatic key updates), and provides high security and maintainability. Even if an AccessKey (AK) used to access KMS is leaked, you can control the risk by disabling the AK or tightening the access policy, and the key itself will not be compromised.

    Note

    Only the Customer Master Key type in KMS is supported. The Default Key is not supported. For more information, see Key Service Overview.

    Configure a KMS customer master key

    1. Purchase and enable a KMS instance.

    2. Create a customer master key (CMK).

    3. Return to the PolarDB console, select the customer master key, and click OK.

    Using self-managed keys

    If you do not configure KMS, the system uses a self-managed key by default. You must generate, distribute, and store the key yourself.

    Important

    Self-managed keys are at risk of being lost or leaked, and key updates are not currently supported. If a key is lost, the corresponding encrypted data cannot be decrypted. You must establish strict security procedures to manage your keys.

    Step 2: Define role permissions

    On the Customer Role Permission Settings tab of the Encryption page, configure roles for different database accounts. This determines whether they see plaintext or ciphertext when they query data.

    1. Click Create Role Permission Policy.

    2. In the Role Permission Settings dialog box, set the policy name and the database accounts for the roles.

      1. Policy Name: Specify a name for the policy. The name can be up to 64 characters long.

      2. Super Admin: Select the check boxes of the database accounts. You can select multiple accounts. Database accounts in this list always receive query results in plaintext.

        Note

        The Super Admin role has the highest permissions. Add only necessary management or audit accounts to this list and strictly control their use.

      3. Standard Account: Select the check boxes of the database accounts. You can select multiple accounts. Database accounts in this list receive query results in ciphertext but can decrypt the data using a specific encryption driver and key.

      Note

      Other users: Any database account not configured in the two role lists above. These users receive query results in ciphertext and cannot decrypt the data.

    image

    Step 3: Create and enable an encryption policy

    On the Encryption Policy Settings tab of the Encryption page, configure an encryption policy.

    1. Click Create Encryption Policy.

    2. In the dialog box that appears, configure the policy parameters as described in the following table.

      Note

      Specify a precise encryption scope: When you create a policy, always specify the database, table, and field names. Avoid applying the policy to all databases or all tables to prevent affecting unrelated services.

      Parameter

      Description

      Rule Name

      Required. A unique identifier for the policy, such as encrypt-user-email. The name can be up to 64 characters long.

      Rule Description

      Optional. A detailed description of the policy, such as Encrypt the email field in the user table of the customer database. The description can be up to 64 characters long.

      Enable/Disable Rule

      A switch to enable or disable the policy. The policy is enabled by default when created and cannot be changed during creation. You can modify this setting after the policy is created.

      Associated Permission Policy

      Required. Select the role permissions defined in Step 2.

      Database

      Optional. The database to which the policy applies. You can select one of the following options:

      • (Default) All databases: The policy applies to all databases in the cluster.

      • Specify databases: The policy applies only to the specified databases. Separate multiple database names with commas (,).

      Table Name

      Optional. The table to which the policy applies. You can select one of the following options:

      • (Default) All tables: The policy applies to all tables in the specified database.

      • Specify tables: The policy applies only to the specified tables. Separate multiple table names with commas (,).

      Field Name

      Required. The names of the fields to encrypt. Separate multiple field names with commas (,).

      Encryption Algorithm

      Required. The algorithm to use for encryption. The following algorithms are supported:

      • SM4 series: SM4-128-CBC, SM4-128-ECB, SM4-128-GCM, SM4-128-GTR.

      • AES-128 series: AES-128-CBC, AES-128-ECB, AES-128-GCM, AES-128-GTR.

      • AES-256 series: AES-256-CBC, AES-256-ECB, AES-256-GCM, AES-256-GTR.

    3. Click OK to create the policy.

    Step 4: Manage encryption policies

    On the Encryption Policy Settings tab of the Encryption page, you can manage your existing policies in the policy list.

    • Modify a policy: Find the target rule and click Modify in the Actions column.

    • Delete a policy: Find the target rule, click Delete in the Actions column, and then click OK in the dialog box that appears.

    • Enable or disable a policy: Find the target rule and click the switch in the Enable/Disable Rule column.

    Permission convergence and security hardening

    To prevent DBAs or developers with console permissions from maliciously modifying or deleting encryption policies, you can use Resource Access Management (RAM) for security hardening.

    Core concept

    The core concept is to create separate Resource Access Management (RAM) users for relevant personnel, grant them permissions to manage PolarDB, and explicitly deny them permissions to modify or delete encryption policies.

    Instructions

    1. Create a policy to deny modifications

      1. Log on to the RAM console. In the navigation pane on the left, choose Permissions > Policies. Click Create Policy to create a custom policy.

      2. On the visual editor tab, configure the following parameters:

        • Effect: Deny.

        • Service: PolarDB.

        • Action: Select Specify Action. In the Write section, select polardb:ModifyMaskingRules and polardb:DeleteMaskingRules.

        • Resource and Condition: Set the specific objects that the policy applies to and the conditions under which the policy takes effect. For more information, see Basic elements of an access policy.

        • After the configuration is complete, click OK. In the Create Policy dialog box, set the Policy Name and Note.

    2. Configure RAM user permissions

      1. Log on to the RAM console. In the navigation pane on the left, choose Identities > Users. Find the target RAM user and click Add Permissions in the Actions column.

      2. In the Policies section, select the deny policy that you created, and click OK.

    Result

    When the restricted RAM user tries to modify or delete an encryption policy, an error message indicating insufficient permissions appears.image

    What to do next

    After you configure the encryption rules, your application must use the JDBC driver (EncJDBC) or the GoLang driver, which have built-in encryption capabilities, to correctly read and write encrypted data.

    FAQ

    I configured an encryption policy. Why do I still see plaintext when I query data using a database client?

    Check the account used to log on to the database. If the account is configured as a Super Admin, query results are always in plaintext for ease of management. To see the ciphertext results, test with an account configured as a Standard Account.

    How can I verify that encryption is working?

    Use a database account that is not in the Super Admin list to connect to the database through a standard MySQL client, such as the command line or Navicat. Then, query the encrypted field. If you see ciphertext, this verifies that the query results are being encrypted in real time at the database proxy layer.

    What are the risks of the super administrator role?

    The Super Admin role can directly read plaintext data, completely bypassing encryption protection. Use this role only temporarily for absolutely necessary scenarios, such as data correction, migration, or auditing. Remove the account from this role immediately after use and maintain a complete audit trail of all operations.