All Products
Search

This Product

    ApsaraDB RDS:Enable the always-confidential feature

    Document Center

    ApsaraDB RDS:Enable the always-confidential feature

    Last Updated:Mar 30, 2026

    The always-confidential database feature encrypts specific columns in your ApsaraDB RDS for MySQL instance — such as credit card numbers and national identification numbers — so that cloud platform operators and other high-privileged users cannot read the plaintext values. Encrypted columns remain invisible to database users until they are decrypted through an authorized client.

    Prerequisites

    Before you begin, ensure that you have:

    • An ApsaraDB RDS for MySQL instance running MySQL 5.7 or MySQL 8.0 with minor engine version 20240731 or later. To upgrade, see Update the minor engine version.

    • A privileged account on the instance. All operations in this guide require a privileged account.

    Billing

    This feature is free of charge.

    Limitations

    • Instance restart required: Enabling the feature restarts your RDS instance. Schedule this during off-peak hours.

    • Performance impact: Enabling the feature has a minor impact on instance performance. Configuring data protection rules and operating on encrypted columns may further reduce performance.

    • Driver integration required for write workloads: If your application both reads and writes data, integrate the Alibaba Cloud drivers into your application before writing to encrypted columns. Without the drivers, encrypted data is written to the database as-is and becomes inoperable.

    • Configure data protection rules first: The feature encrypts columns according to data protection rules. Configure rules before enabling to avoid having the feature active with no protected columns. For details, see Manage data protection rules.

    • Enable TDE for disk-level protection (recommended): Transparent data encryption (TDE) protects data at rest on disk and complements column-level encryption. For details, see Configure TDE.

    Enable the always-confidential database feature

    1. If you don't have a qualifying instance, create one. See Create an ApsaraDB RDS for MySQL instance for creation steps, and Instance types for standard primary ApsaraDB RDS for MySQL instances (original x86 architecture) or Instance types for YiTian primary ApsaraDB RDS for MySQL instances (original ARM architecture) for supported instance types. Skip this step if your existing instance already meets the prerequisites.

    2. Create a privileged account. See Create an account on an ApsaraDB RDS for MySQL instance.

    3. Create a database. See Manage databases.

    4. Log on to the ApsaraDB RDS console. On the Instances page, select the region where your instance resides, and click the instance ID.

    5. Enable the feature. In the left-side navigation pane, click Parameters. On the Modifiable Parameters tab, set loose_encdb to ON. In the upper-right corner, click Apply Changes, select the effective time, and then click OK.

      Warning

      This step restarts your RDS instance. Perform it during off-peak hours to minimize impact.

    What's next

    After the feature is enabled, configure data protection rules to specify which columns to encrypt. See Manage data protection rules.

    For an overview of the always-confidential database feature, see Overview and Benefits. To protect data at rest on disk alongside column-level encryption, see Configure TDE.

    References