All Products
Search

This Product

    ApsaraDB RDS:Benefits

    Document Center

    ApsaraDB RDS:Benefits

    Last Updated:Mar 28, 2026

    The always-confidential feature of ApsaraDB RDS for MySQL provides an encryption solution that prevents unauthorized access to your data and ensures compliance with data protection regulations. This page describes the key benefits to help you evaluate whether the feature meets your data protection and compliance requirements.

    No code changes required

    Enable the feature on an existing ApsaraDB RDS instance with a few commands — no application code changes, no client-side encryption or decryption logic.

    • All SQL statements work without modification. For example, run a plaintext SQL statement to perform a fuzzy match on an encrypted column.

    • Tools such as Data Transmission Service (DTS) and Data Management (DMS) work with the feature for workload migration without code changes.

    • Enable or disable the feature on an existing instance at any time. Rollback is supported.

    Ciphertext results enforced by data protection rules

    After you configure a data protection rule, the instance automatically identifies protected data during queries and returns results processed by the specified protection method.

    • Third parties cannot view protected data in plaintext in query results, even if account credentials are leaked.

    • The feature also determines whether to protect results of calculations involving protected data, including addition, subtraction, aggregation, and JOIN operations, based on the configured rule.

    Table and column level encryption granularity

    Specify protection at the table or column level in a data protection rule. When a column is designated as protected and encryption is the specified method, the feature uses your key to automatically encrypt all data in that column. Only users with the key can decrypt and view the plaintext.

    Minimal performance overhead

    ApsaraDB RDS instances with the feature enabled have performance comparable to instances with it disabled. Query performance decreases in proportion to the size of the encrypted data — the larger the volume of encrypted data, the more noticeable the impact.

    Flexible key management

    Bring keys from a trusted or third-party key management service and pass them dynamically to EncJDBC (the MySQL JDBC driver for the always-confidential feature) using parameter settings or other methods. For details, see Use the always-confidential feature from EncJDBC.

    • Keys are available only to data owners and take effect through a secure distribution mechanism. Each key is automatically revoked after use, preventing theft.

    • Keys support updates and rotation.

    • Keys are automatically destroyed when the always-confidential feature is disabled on an instance.

    Multiple client connection options

    Connect using client drivers or SDKs in Java, Go, and Python.

    • Client drivers handle decryption automatically without changes to application configuration.

    • The SDK lets you call API operations to process ciphertext data programmatically.

    Limitations

    • The only supported data protection method in a data protection rule is encryption.

    • The client supports decryption of ciphertext in query results but does not support encryption within SQL statements.

    References

    Always confidential database (public preview)