All Products
Search

This Product

    PolarDB:Features

    Document Center

    PolarDB:Features

    Last Updated:Jan 14, 2026

    This topic describes the features of confidential databases.

    Scope

    The features described in this topic are available for PolarDB for PostgreSQL clusters that run PostgreSQL 14 with minor engine version 2.0.14.9.14.0 or later.

    Note

    You can view the minor engine version in the console or run the SHOW polardb_version; statement. If your cluster does not meet the version requirement, you can upgrade the minor engine version.

    Limitations

    • Operations that involve both plaintext and ciphertext columns are not supported. For example: SELECT * FROM table_name WHERE plaintext_col < ciphertext_col;.

      Note

      In this example, table_name is the table name, plaintext_col is the plaintext column, and ciphertext_col is the ciphertext column.

    • Confidential databases do not provide a service to generate or back up customer master keys (CMKs). You must generate your own CMK. If you lose the key, you can no longer access your existing data. Therefore, back up your CMK in a secure location.

    Supported data types and operators

    Confidential databases define the following data types. These data types and their operators support SQL queries and transactions and are compatible with standard SQL syntax.

    Data type

    Description

    Supported ciphertext computation

    enc_int4

    An encrypted integer. The corresponding plaintext is a 4-byte integer.

    +, -, *, /, %, >, =, <, >=, <=, !=

    enc_int8

    An encrypted integer. The corresponding plaintext is an 8-byte integer.

    enc_float4

    An encrypted floating-point number. The corresponding plaintext is a 4-byte single-precision floating-point number.

    +, -, *, /, >, =, <, >=, <=, !=

    enc_float8

    An encrypted floating-point number. The corresponding plaintext is an 8-byte double-precision floating-point number.

    +, -, *, /, >, =, <, >=, <=, !=, pow

    enc_decimal

    An encrypted decimal number. The corresponding plaintext is a decimal.

    +, -, *, /, >, =, <, >=, <=, !=, pow, %

    enc_text

    An encrypted variable-length string. The corresponding plaintext is a UTF-8 encoded text string.

    substr/substring, ||, like, ~~, !~~, >, =, <, >=, <=, !=

    enc_timestamp

    An encrypted timestamp. The corresponding plaintext is a timestamp without a time zone.

    extract year, >, =, <, >=, <=, !=

    det_type

    Encrypted data of any type. The same plaintext produces the same ciphertext.

    =

    rnd_type

    Encrypted data of any type. The same plaintext produces different ciphertext.

    N/A. Only storage is supported. Computation on ciphertext is not supported.

    ore_int8

    An order-preserving encrypted integer. The corresponding plaintext is an 8-byte integer. This encryption does not depend on trusted hardware.

    >, =, <, >=, <=, !=

    ore_float8

    An order-preserving encrypted floating-point number. The corresponding plaintext is an 8-byte double-precision floating-point number. This encryption does not depend on trusted hardware.

    >, =, <, >=, <=, !=

    Example SQL:

    CREATE TABLE example ( 
  account enc_int4,         -- Account number, corresponds to the integer type in plaintext
  name enc_text,            -- Name, corresponds to the text type in plaintext
  balance enc_float4,       -- Account balance, corresponds to the real type in plaintext
  credit enc_float4,        -- Credit limit, corresponds to the real type in plaintext
  quota real,               -- Plaintext column
  address enc_text,         -- Address, corresponds to the text type in plaintext
  remark text,              -- Remarks
  PRIMARY KEY (account)     -- Use the account column as the primary key
);

    Query clauses

    The confidential database supports the following clauses for common database queries.

    Note

    In the examples, table_name is the table name, col is the column name, and ciphertext_col is the ciphertext column.

    Clause

    Example

    WHERE

    SELECT col1, col2
    FROM table_name
    WHERE ciphertext_col1 > ciphertext_col2 
    ORDER BY col1;

    ORDER BY

    GROUP BY

    SELECT col1, count(*)
    FROM table_name
    GROUP BY col1
    HAVING col1 IS NOT NULL;

    HAVING

    INTERSECT

    SELECT ACCOUNT 
    FROM table_name
    WHERE col1 IS NOT NULL
EXCEPT
    SELECT ACCOUNT 
    FROM table_name
    WHERE ciphertext_col1 > ciphertext_col2 
LIMIT 1;

    EXCEPT

    UNION

    LIMIT

    OFFSET

    Index acceleration

    You can create an index on an encrypted column to accelerate queries. For example:

    CREATE INDEX IF NOT EXISTS name_index_btree on table_name USING btree (name);
CREATE INDEX IF NOT EXISTS name_index_hash on table_name USING hash (name);

    Multi-user authorization

    In a confidential database, ciphertext data is isolated between users by default. You can grant access to other users by issuing a Behavior Control List (BCL) to enable collaborative computation on shared data. For more information, see Grant access to multiple users.

    Plaintext-ciphertext type conversion

    You can convert column types between plaintext and ciphertext. For more information, see Convert between plaintext and ciphertext.

    Important

    The current user must have BCL authorization to use this feature.