ApsaraDB RDS:Define sensitive data

Encrypted data types

Always confidential database introduces three encrypted data types that map directly to their plaintext counterparts:

For the full list of supported data types and SQL operators, see Supported capabilities.

Define sensitive columns in a new table

Identify which columns contain sensitive data based on your business requirements, then assign the appropriate encrypted type to each of those columns in your CREATE TABLE statement.

The following example starts with a regular table schema:

CREATE TABLE example (
  account integer,      -- Primary key; plaintext INTEGER
  name text,            -- Plaintext TEXT
  balance real,         -- Account balance; plaintext REAL
  credit real,          -- Credit line; plaintext REAL
  quota real,           -- Plaintext column (not sensitive)
  address text,         -- Plaintext TEXT
  remark text,          -- Remarks (not sensitive)
  PRIMARY KEY (account)
);

In this schema, account, name, balance, credit, and address are sensitive fields. quota and remark are not sensitive and remain in plaintext. After applying encrypted types to the sensitive columns:

CREATE TABLE example (
  account enc_int4,     -- Primary key; sensitive INTEGER
  name enc_text,        -- Sensitive TEXT
  balance enc_float4,   -- Account balance; sensitive REAL
  credit enc_float4,    -- Credit line; sensitive REAL
  quota real,           -- Plaintext column (not sensitive)
  address enc_text,     -- Sensitive TEXT
  remark text,          -- Remarks (not sensitive)
  PRIMARY KEY (account)
);

Convert existing columns to sensitive data

To convert plaintext columns in an existing table to ciphertext, run an ALTER TABLE statement. For step-by-step instructions, see Convert data between plaintext and ciphertext.

What's next

After defining sensitive data types in your schema, connect to the RDS instance from your client using Always confidential database. For instructions, see Use the Always confidential database feature from a client.