All Products
Search
Document Center

PolarDB:Features

Last Updated:Jan 14, 2026

This topic describes the features of confidential databases.

Scope

The features described in this topic are available for PolarDB for PostgreSQL clusters that run PostgreSQL 14 with minor engine version 2.0.14.9.14.0 or later.

Note

You can view the minor engine version in the console or run the SHOW polardb_version; statement. If your cluster does not meet the version requirement, you can upgrade the minor engine version.

Limitations

  • Operations that involve both plaintext and ciphertext columns are not supported. For example: SELECT * FROM table_name WHERE plaintext_col < ciphertext_col;.

    Note

    In this example, table_name is the table name, plaintext_col is the plaintext column, and ciphertext_col is the ciphertext column.

  • Confidential databases do not provide a service to generate or back up customer master keys (CMKs). You must generate your own CMK. If you lose the key, you can no longer access your existing data. Therefore, back up your CMK in a secure location.

Supported data types and operators

Confidential databases define the following data types. These data types and their operators support SQL queries and transactions and are compatible with standard SQL syntax.

Data type

Description

Supported ciphertext computation

enc_int4

An encrypted integer. The corresponding plaintext is a 4-byte integer.

+, -, *, /, %, >, =, <, >=, <=, !=

enc_int8

An encrypted integer. The corresponding plaintext is an 8-byte integer.

enc_float4

An encrypted floating-point number. The corresponding plaintext is a 4-byte single-precision floating-point number.

+, -, *, /, >, =, <, >=, <=, !=

enc_float8

An encrypted floating-point number. The corresponding plaintext is an 8-byte double-precision floating-point number.

+, -, *, /, >, =, <, >=, <=, !=, pow

enc_decimal

An encrypted decimal number. The corresponding plaintext is a decimal.

+, -, *, /, >, =, <, >=, <=, !=, pow, %

enc_text

An encrypted variable-length string. The corresponding plaintext is a UTF-8 encoded text string.

substr/substring, ||, like, ~~, !~~, >, =, <, >=, <=, !=

enc_timestamp

An encrypted timestamp. The corresponding plaintext is a timestamp without a time zone.

extract year, >, =, <, >=, <=, !=

det_type

Encrypted data of any type. The same plaintext produces the same ciphertext.

=

rnd_type

Encrypted data of any type. The same plaintext produces different ciphertext.

N/A. Only storage is supported. Computation on ciphertext is not supported.

ore_int8

An order-preserving encrypted integer. The corresponding plaintext is an 8-byte integer. This encryption does not depend on trusted hardware.

>, =, <, >=, <=, !=

ore_float8

An order-preserving encrypted floating-point number. The corresponding plaintext is an 8-byte double-precision floating-point number. This encryption does not depend on trusted hardware.

>, =, <, >=, <=, !=

Example SQL:

CREATE TABLE example ( 
  account enc_int4,         -- Account number, corresponds to the integer type in plaintext
  name enc_text,            -- Name, corresponds to the text type in plaintext
  balance enc_float4,       -- Account balance, corresponds to the real type in plaintext
  credit enc_float4,        -- Credit limit, corresponds to the real type in plaintext
  quota real,               -- Plaintext column
  address enc_text,         -- Address, corresponds to the text type in plaintext
  remark text,              -- Remarks
  PRIMARY KEY (account)     -- Use the account column as the primary key
);

Query clauses

The confidential database supports the following clauses for common database queries.

Note

In the examples, table_name is the table name, col is the column name, and ciphertext_col is the ciphertext column.

Clause

Example

WHERE

SELECT col1, col2
    FROM table_name
    WHERE ciphertext_col1 > ciphertext_col2 
    ORDER BY col1;

ORDER BY

GROUP BY

SELECT col1, count(*)
    FROM table_name
    GROUP BY col1
    HAVING col1 IS NOT NULL;

HAVING

INTERSECT

SELECT ACCOUNT 
    FROM table_name
    WHERE col1 IS NOT NULL
EXCEPT
    SELECT ACCOUNT 
    FROM table_name
    WHERE ciphertext_col1 > ciphertext_col2 
LIMIT 1;

EXCEPT

UNION

LIMIT

OFFSET

Index acceleration

You can create an index on an encrypted column to accelerate queries. For example:

CREATE INDEX IF NOT EXISTS name_index_btree on table_name USING btree (name);
CREATE INDEX IF NOT EXISTS name_index_hash on table_name USING hash (name);

Multi-user authorization

In a confidential database, ciphertext data is isolated between users by default. You can grant access to other users by issuing a Behavior Control List (BCL) to enable collaborative computation on shared data. For more information, see Grant access to multiple users.

Plaintext-ciphertext type conversion

You can convert column types between plaintext and ciphertext. For more information, see Convert between plaintext and ciphertext.

Important

The current user must have BCL authorization to use this feature.