Column encryption protects sensitive database fields — such as credit card numbers or national identification numbers — so that only authorized database accounts can view plaintext values. It is the basic edition of the always-confidential database feature for ApsaraDB RDS for MySQL.
Column encryption has two components that work together:
-
Column encryption rules — define which databases, tables, and fields are encrypted.
-
Role permission settings — control which database accounts can view plaintext or ciphertext data.
Configure role permissions before adding column encryption rules. If you add encryption rules first, database accounts without explicit role assignments default to the Other administrators (view ciphertext) role, which can cause garbled text or access errors in your application.
Prerequisites
Before you begin, ensure that you have:
-
An ApsaraDB RDS for MySQL instance running MySQL 5.7 or 8.0 with minor engine version 20240731 or later. To upgrade, see Update the minor engine version.
-
The always-confidential feature enabled. See Enable the always-confidential feature.
-
A privileged account to configure data protection rules.
Usage notes
-
A data protection rule applies to all databases on the RDS instance once enabled. No per-database configuration is needed.
-
Use separate database accounts to manage data protection rules and to run online applications. Avoid granting management permissions to application accounts unless necessary.
-
Warning: Grant read and write permissions on
mysql.encdb_sensitive_rulesandmysql.encdb_auth_userswith caution. Unauthorized modification of these tables can allow attackers to bypass always-confidential protection.
Role permissions
The following table shows what each role can do:
| Role | View plaintext | View ciphertext | Create custom dedicated key |
|---|---|---|---|
| Super administrator | Yes | — | — |
| Operations and Maintenance Administrator | — | Yes | Yes |
| Other administrators | — | Yes | — |
If you do not assign a role to a database account, it defaults to Other administrators (view ciphertext).
Configure or modify role permissions
-
Go to the RDS Instances page, select a region in the top navigation bar, and then click the ID of the target instance.
-
In the left navigation pane, click Data Security.
-
Click the Column encryption tab.
-
Click Role permission settings, find the role to manage, and then click Configure Account or Change Account in the Actions column.
-
On the Configure Account page, set the following parameters and click OK.
NoteYou can assign the super administrator role to multiple accounts in separate operations — for example, assign it to User A and then User B. To revoke an account's role, change it to Other administrator.
Parameter Required Description Expiration date Yes (Super administrator only) When the expiration date arrives, the super administrator's permissions reset automatically to Other administrator (no plaintext access). Related accounts No Select one or more existing database accounts from the drop-down list. Custom Account No Enter one or more database account names manually. Separate multiple names with a comma (,).
Column encryption rules
Delete a column encryption rule
On the Column encryption tab, click List encryption rules, find the rule to delete, and then click Delete in the operation column.