Enable the always-confidential database feature on PostgreSQL instances - ApsaraDB RDS

The always-confidential database feature encrypts sensitive data columns in your ApsaraDB RDS for PostgreSQL instance. This prevents unauthorized users from accessing the plaintext of the protected data columns by using software and tools in the cloud platform, while ensuring that the sensitive data columns remain available but invisible to database users. By default, the feature is integrated with ApsaraDB RDS for PostgreSQL, but you must complete the required configurations before you can use it. Enable the feature by installing the EncDB extension on each database you want to protect.

Supported instance types

The feature is supported on all standard RDS instances. Two editions are available:

Edition	Instance family
Basic edition	All instance types except Intel SGX-based security-enhanced
Hardware-enhanced edition (Intel SGX-based)	Intel SGX-based security-enhanced instance types

For a detailed comparison of security levels, see Security levels provided by the always-confidential database feature.

Note

Serverless RDS instances and YiTian RDS instances are not supported.

Intel SGX-based security-enhanced instance types

The hardware-enhanced edition requires an Intel SGX-based instance. These are available in the following regions and zones:

Region	Zone
China (Hangzhou)	Hangzhou Zone K
China (Shanghai)	Shanghai Zone B and Shanghai Zone L
China (Beijing)	Beijing Zone I and Beijing Zone K
China (Hong Kong)	Hong Kong Zone B and Hong Kong Zone D

The following instance types are available under the Intel SGX-based security-enhanced instance family (RDS High-availability Edition):

Instance type	CPU cores / Memory	Encrypted memory	Max connections	Storage capacity
pg.x4t.medium.2c	2 cores, 8 GB	4 GB	400	PL1 ESSD: 20 GB–64,000 GB; PL2 ESSD: 500 GB–64,000 GB; PL3 ESSD: 1,500 GB–64,000 GB; General ESSD: 10 GB–64,000 GB
pg.x4t.large.2c	4 cores, 16 GB	8 GB	800	Same as above
pg.x4t.xlarge.2c	8 cores, 32 GB	16 GB	1,600	Same as above
pg.x4t.2xlarge.2c	16 cores, 64 GB	32 GB	3,200	Same as above
pg.x4t.4xlarge.2c	32 cores, 128 GB	64 GB	6,400	Same as above

For the full list of instance types, see Primary ApsaraDB RDS for PostgreSQL instance types. For IOPS values by instance type, see IOPS.

Prerequisites

Before you begin, make sure you have:

An ApsaraDB RDS for PostgreSQL instance created and running. See Create an ApsaraDB RDS for PostgreSQL instance
A privileged account on the instance. See Create an account
(Basic edition only) A minor engine version of 20230830 or later

Enable the always-confidential database feature

Create a database on your RDS instance. See Create a database.
Connect to the database using your privileged account. See Connect to an ApsaraDB RDS for PostgreSQL instance.
Install the EncDB extension:
```
-- Install the EncDB extension.
CREATE EXTENSION encdb;
```
The always-confidential database feature is now enabled on this database.

What's next

Before using the feature, define which columns to protect based on your business requirements. See Define sensitive data.