Configure data protection rules for RDS for MySQL confidential databases in the console - ApsaraDB RDS

This topic describes how to configure column encryption rules and role permissions for an ApsaraDB RDS for MySQL instance in the ApsaraDB RDS console. Column encryption is the basic edition of the always-confidential database feature.

Prerequisites

The RDS instance runs MySQL 5.7 or 8.0 with minor engine version 20240731 or later.
Note
For more information, see Update the minor engine version.
You have enabled the always-confidential feature.
A privileged account is used to configure data protection rules.

Feature description

Column encryption configuration consists of two core components:

Column encryption rules: Define the columns to encrypt by specifying the database, table, and field.
Role permission settings: Control which database accounts can access plaintext or ciphertext data.

Before you configure column encryption rules, configure plaintext viewing permissions for the required accounts.

If you do not assign specific role permissions to database accounts, all database accounts are assigned the Other administrators (view ciphertext) role by default.
If you set column encryption rules without configuring role permissions, your application may experience garbled text or access errors.

Usage notes

After you configure and enable a data protection rule, the rule takes effect on all databases on an RDS instance, and you do not need to repeatedly configure the rule.
We recommend that you use separate database accounts to manage data protection rules and online applications. Do not grant management permissions on online applications unless necessary.
Exercise caution when you grant the read and write permissions on the mysql.encdb_sensitive_rules and mysql.encdb_auth_users tables. The modification of the tables may allow attackers to bypass always-confidential protection.

Procedure

Go to the RDS Instances page, select a region in the top navigation bar, and then click the ID of the target instance.
In the left navigation pane, click Data Security.
Click the Column encryption tab to configure role permissions and column encryption rules.

Configure or modify role permissions

Click Role permission settings, find the role that you want to manage, and then click Configure Account or Change Account in the Actions column.
Note
The following list describes the role permissions:
- Super administrator: Can view the plaintext content of all sensitive data.
- Operations and Maintenance Administrator: has the permissions to view sensitive data in ciphertext. You can use this role to create a custom dedicated key to implement real-time data encryption and decryption.
- Other administrators: Can only view ciphertext and cannot decrypt data.

On the Configure Account page, configure the following parameters and click OK.

You can adjust user permissions as needed. For example, you can assign the super administrator role to multiple users, such as User A and then User B, in separate operations. To revoke a user's permissions, change their role to Other administrator.

Parameter	Required	Description
Expiration date	Yes	This parameter is available only for the Super administrator role. When the expiration time arrives, the permissions of super administrators are automatically reset to the permissions of other administrators that do not have the permissions to view plaintext data.
Related accounts	No	Select one or more existing database accounts from the drop-down list.
Custom Account	No	Similar to linked accounts. Manually enter one or more database account names. Separate multiple account names with a comma (,).

Add or modify column encryption rules

Click List encryption rules. Click Newly added or find the rule that you want to manage. Then, click Modify in the operation column.

In the dialog box that appears, configure the following parameters and click OK.

Parameter	Required	Description
Rule Name	Yes	The name of the encryption rule. The name can be up to 30 characters in length. You cannot change the name after creation. To change the name, delete the original rule and create a new one.
Database Name	No	The name of the database where the rule applies. Valid values: All databases: The rule applies to all databases in the instance. Include: The rule applies only to specified databases. Enter one or more database names, separated by a comma (,).
Table Name	No	The name of the table where the rule applies. Valid values: All data tables: The rule applies to all tables within the current scope. Include: The rule applies only to specified tables. Enter one or more table names, separated by a comma (,).
Field Name	No	The name of the field where the rule applies. Valid values: All data columns: The rule applies to all fields within the current scope. Include: The rule applies only to specified fields. Enter one or more field names, separated by a comma (,).

Delete column encryption rules

On the Column encryption tab, click List encryption rules, find the rule that you want to delete, and then click Delete in the operation column.