RDS PostgreSQL column encryption - ApsaraDB RDS - Alibaba Cloud Documentation Center

The column encryption feature provided by Data Security Center (DSC) enables encrypted access to sensitive column data in ApsaraDB RDS for PostgreSQL, preventing unauthorized personnel from directly accessing sensitive data in plaintext through cloud platform software or database connection tools. This feature ensures that column data is available but invisible in the database, effectively defending against security threats from both internal and external sources of the cloud platform, making cloud data truly a private asset for users.

Prerequisites

The instance runs RDS PostgreSQL 16 with a minor engine version of 20250228 or later.
The instance is located in one of the following regions:
- The Chinese mainland
  - China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Hangzhou), China (Shanghai), China (Shenzhen), China (Guangzhou), China (Chengdu).
- Outside the Chinese mainland
  - China (Hong Kong), Singapore, Malaysia (Kuala Lumpur), Indonesia (Jakarta), Germany (Frankfurt).

Feature introduction

The column encryption feature for RDS PostgreSQL is provided by Data Security Center (DSC). It uses the AES-256-GCM encryption algorithm and local key encryption method to configure encryption for sensitive data columns in databases. This ensures that sensitive data is stored in encrypted form and allows authorized users to access plaintext data through an always-confidential client after decryption. You can select and modify the RDS PostgreSQL instances, databases, tables, and column ranges to be encrypted.

Preparations

Before enabling the column encryption feature, you need to complete the following steps in sequence: activate or upgrade DSC service, authorize DSC to access cloud resources, authorize database assets, connect to the database, and run sensitive data identification tasks.

1. Activate or upgrade DSC service

For new users who have never used Data Security Center, activate DSC service

After activating the DSC service and enabling the column encryption feature, you will receive a free column encryption quota. If you need more encrypted columns, you can purchase additional capacity. The column encryption feature is only available to users of the Free Edition, Premium Edition, Enterprise Editon, and Value Added Plan of Data Security Center (DSC).

Edition	Free quotas (unit: columns)
Free Edition	1
Enterprise Edition	1
Value-added Service Only Edition	1

Log on to your Alibaba Cloud account, and go to the Data Security Center buy page.
Select an edition, and enable column encryption.
Click Buy Now and complete the payment.
You can view the feature specifications of your purchased edition on the Overview page.

For existing DSC users, check DSC edition and column encryption quota, and upgrade DSC service as needed

Check DSC edition and column encryption quota

You can log on to the Data Security Center console, and check the DSC version and column encryption quota on the Overview page:

DSC version: The column encryption feature is only available for users of the Free Edition, Enterprise Edition, and Value-added Service Only Edition.
Column encryption quota: Check if the column encryption quota meets your business requirements.

Upgrade DSC service

When your DSC edition is incompatible or the column encryption quota does not meet your business requirements, you can upgrade your DSC service to obtain more column encryption capacity.

Currently, only upgrades from Premium Edition to Enterprise Edition are supported, or flexible module capability upgrades within the same edition (such as increasing the number of columns supported for column encryption). Other editions do not support upgrades. You can change editions using the following methods:

Free Edition: You can purchase a paid version (such as Enterprise Edition, or Value-added Service Only Edition) while retaining your Free Edition resources.
Enterprise Edition or Value-added Service Only: You need to request a refund and then purchase another edition, but the original instance and its data will be released.
Instance configuration upgrades do not support modifying the subscription duration, meaning the remaining service period of the current instance remains unchanged.

Log on to the Data Security Center console.
On the Overview page, click Upgrade.
Upgrade the specification of the current version.
The upgrade page shows your current specifications. Upgrade this edition either by enabling new features such as Data Detection and Response, Column Encryption, and Log Storage, or by increasing protection and encryption quotas.
Click Buy Now and complete the payment.
You can view the updated feature specifications on the Overview page.

2. Authorize DSC to access cloud resources

After authorization is complete, the DSC instance can access resources of cloud services such as OSS, RDS, and MaxCompute.

Log on to the Data Security Center console.
In the RAM Authorization dialog box, click Authorize Now.
Note
If the RAM Authorization dialog box does not appear, it indicates that you have already authorized DSC to access cloud resources.

3. Authorize database assets

Before using DSC to detect sensitive data in cloud products (including RDS, PolarDB, etc.) or audit database activities, you need to complete asset instance authorization first.

Log on to the Data Security Center console. In the left-side navigation pane, choose Asset Center.
In the Authorization Management tab, click Asset Authorization Management.
In the left-side navigation pane of the Asset Authorization Management page, select the data type that you want to authorize, and click Asset synchronization.
Note
DSC automatically synchronizes them to unauthorized asset lists. After purchasing a DSC instance, the cloud asset list synchronization task is executed immediately upon first login to the console, so there is no need to perform asset synchronization at that time. DSC scans for newly added data assets at 00:00 every day and Asset Center > Authorization Management > Asset Authorization Management > Asset synchronization. Existing users need to manually perform this step.
Click Actions in the Authorization column of the target asset.
When you need to authorize multiple assets at once, select the target assets and click Batch Authorize.

4. Connect to the database and run sensitive data identification tasks

Log on to the Data Security Center console, and choose Asset Center in the left-side navigation pane.
On the Authorization Management tab, click Account Logon in the Actions column of the target asset instance.
In the Account Logon panel, click Add Credential in the Actions column of the target database.
In the Add Credential dialog box, select a credential, keep or clear the Scan assets and identify sensitive data now. check box, and then click OK.
If you have not created a credential, you need to click the Create Credential tab in the Add Credential dialog box, configure the Credential Name, Username, Password, and Credential Type for the database login credential, and click OK.
Important
- If you select Scan assets and identify sensitive data now., DSC automatically creates and immediately executes a default identification task. The task reads data from the database, which degrades the read performance of the database. We recommend that you perform one-click connection operations during off-peak hours.
- If you do not select Scan assets and identify sensitive data now., you can go to Classification and grading > Tasks in the navigation pane, and click Rescan in the Default Tasks list on the Identification Tasks tab to manually execute the system default task.
Click the icon on the left side of the database instance to view the connection status and feature status of the database.

Enable column encryption

Log on to the Data Security Center console.In the left-side navigation pane, choose Risk Governance > Column Encryption.
Important
The Encryption Check column must display Passed before you can enable and configure column encryption for the corresponding database. If it displays Failed, the database major version or minor engine version might not support the column encryption feature. For more information, see FAQ in this topic.
Click Rapid Encryption above the database instance list to configure column encryption for all unencrypted columns.
Alternatively, you can click Rapid Encryption in the Actions column of the target database instance to configure column encryption for the target database instance.
In the Encryption Configuration panel, select the Asset Type, Instance name, Plaintext Permission Accounts, and the target Databases, Table, and Column for which you want to configure column encryption, and then click OK. Note the following:
- RDS PostgreSQL only supports the AES-256-GCM encryption algorithm and local encryption method.
- After the encryption configuration is complete, the default permission for RDS PostgreSQL database accounts is Ciphertext Permission (JDBC Decryption), which allows access to the ciphertext data of encrypted columns by default and supports viewing the original plaintext data after decryption using a local key through client code.
- If you need to directly access plaintext data, you can add the corresponding database account in the Plaintext Permission Accounts section. This account will have plaintext permission and can directly access the plaintext data of encrypted columns.
  Important
  If you need to classify and grade the latest data in the database, the database account set as the credential (the database account used to connect DSC to the RDS PostgreSQL instance) must have plaintext permission.

Modify column encryption configuration

Modify the scope of encrypted columns

After enabling column encryption, you can individually enable or disable the column encryption feature for specific columns in the database instance based on your needs, modifying the scope of encrypted columns.

Log on to the Data Security Center console.In the left-side navigation pane, choose Risk Governance > Column Encryption.
In the instance list, expand the target instance. In the database list, find the target Databases, Table, and Column name. Click Enable Encryption or Disable Encryption to configure encryption for a single column.

Modify database account permissions

Except for accounts that are set to Plaintext Permissions, all other accounts in the database instance have Ciphertext Permission (JDBC Decryption). Based on your business requirements, you can modify account permissions to Plaintext Permissions or Ciphertext Permission (JDBC Decryption).

Log on to the Data Security Center console.
On the Risk Governance > Column Encryption page, click Accounts in the Permission Settings section.
You can also click Edit in the Actions column of the instance list, and then click Account Permissions next to Edit in the Configure panel.
In the Permission Settings panel, search for the target instance and account to view the current account permissions.
Note
If a newly added database account is not displayed in the list, please complete Asset synchronization first and then check again.
Click Modify Permissions in the Actions column of the target account.
You can also select multiple accounts with the same permissions and click Batch Modify Permissions at the bottom of the list.
In the Modify Permissions dialog box, select the target permission and click OK.

Verify column encryption results

You can configure database column encryption and database account permissions to verify column encryption results.

Connect an RDS PostgreSQL 16 database instance to DSC, complete sensitive data classification and grading, and enable column encryption for a specific column in the RDS instance (using the students01 column in the birth_date table as an example). At the same time, set one database account in the RDS instance to have Plaintext Permissions and keep another account with Ciphertext Permission (JDBC Decryption).
Log on to the database by using Data Management Service (DMS) with an account that has Ciphertext Permission (JDBC Decryption). Execute the SELECT * FROM students01; statement to view the data table. The encrypted column displays ciphertext data.
Log on to the database by using Data Management Service (DMS) with an account that has the Plaintext Permission. Execute the SELECT * FROM students01; statement to view the data table. The plaintext data of the encrypted column is returned.

Client instructions

If your database account has Ciphertext permission (JDBC decryption), you can use the column encryption driver (JDBC) to access the target RDS database and access encrypted column data through Java applications. JDBC automatically decrypts ciphertext data and returns plaintext data, making the process transparent to applications. For more information, see Column encryption driver (JDBC).

FAQ

What do I do if the RDS instance fails the encryption check?

If the version of the authorized RDS PostgreSQL database is not PostgreSQL 16, the kernel version is earlier than 20250228, or the instance is a read-only instance, Failed is displayed in the Encryption Check column.

Database version not supported
If you confirm that the target RDS database needs column encryption configuration, you can visit the RDS instance list, find the target instance, and upgrade the database version. For more information, see Upgrade the major engine version.
Minor engine version not supported
If you confirm that the target RDS database needs column encryption configuration, you can click Update Minor Engine Version, select Latest Version and Update Time, and then click OK to update the minor engine version. For more information, see Update the minor engine version. Column encryption can be enabled for the RDS instance only after the minor engine version of the instance is updated.
Read-only instance
When a read-only RDS instance is being created, the system replicates data from the secondary RDS instance to the read-only RDS instance. After the read-only RDS instance is created, the instance has the same data as the primary RDS instance. If the data on the primary RDS instance is updated, the system immediately synchronizes the updates to all read-only RDS instances that are attached to the primary RDS instance. We recommend that you enable the column encryption feature for the primary RDS instance.

After the version is upgraded, go to the DSC console to synchronize the latest instance information.

In the left-side navigation pane, choose Asset Center, and then on the Authorization Management tab, click Asset Authorization Management.
In the left-side navigation pane of the Asset Authorization Management panel, click the type of the required instance.
In the Asset Authorization Management panel, click Asset Synchronization.

Related information

For the features and principles of database column encryption, see Column encryption overview.
If sensitive column data in the database changes after authorization, you need to rescan it. For specific operations, see Scan sensitive data through detection tasks.