Configure column encryption for RDS or PolarDB databases - Data Security Center

Data Security Center (DSC) lets you configure column encryption for various database types, such as RDS for MySQL, RDS for PostgreSQL, PolarDB for MySQL, PolarDB for PostgreSQL, PolarDB for PostgreSQL (Compatible with Oracle), and PolarDB-X 2.0. This feature ensures that data in sensitive columns is stored in an encrypted format. Authorized users can then use an always-confidential client to decrypt and access the plaintext data.

Important

The column encryption feature is available only in the Free, Premium, Enterprise, 7-day Trial, and Value-added Service Only editions of Data Security Center.
When you use a client to query encrypted fields with SQL, the original data type of the field is ignored. The data is always returned in string format. Configure column encryption with caution.

Prerequisites

You have purchased Data Security Center and have a sufficient column encryption authorization quota. If you have not enabled the column encryption feature or your quota is insufficient, you can upgrade your edition.
Ensure that the column encryption feature is supported in the region where your instance is located. For more information, see Supported Regions.

Database encryption limits

Supported database type	Supported versions	Supported encryption algorithms	Supported encryption methods	Supported permissions
RDS for MySQL	Major version is MySQL 5.7 or MySQL 8.0, and the minor engine version is 20240731 or later.	AES_128_GCM. AES_256_GCM: Supported only when the minor engine version is 20241231 or later. SM4_128_GCM: Supported only when the minor engine version is 20241231 or later. Note Only AES_128_GCM is supported in regions outside the Chinese mainland.	Local key. KMS key: Supported only when the minor engine version is 20241231 or later and the storage class is disk.	Ciphertext permission (no decryption permission): Supported only for local keys. This is the default permission. Ciphertext permission (JDBC decryption): Default permission when using a KMS key. Plaintext permission.
RDS for PostgreSQL	Major version is PostgreSQL 16, and the minor engine version must be 20241230 or later.	AES_256_GCM.	Local key.	Ciphertext permission (JDBC decryption) (Default permission). Plaintext permission.
PolarDB for MySQL	Major version is MySQL 5.7 or MySQL 8.0, and the database proxy version must be 2.8.36 or later. Important If you set a column encryption policy for a PolarDB for MySQL database, you must use the database proxy endpoint (read/write splitting mode) to connect to the database. If you use the primary endpoint, the column encryption policy does not take effect. For more information, see Configure a database proxy and Manage endpoints.	AES_128_GCM.	Local key.
PolarDB for PostgreSQL	Major version is PostgreSQL 14, and the database version is 2.0.14.15.31.0 or later.	AES_256_GCM.	Local key.
PolarDB for PostgreSQL (Compatible with Oracle)	Only Oracle syntax compatibility 2.0 is supported. The major version is PostgreSQL 14, and the database version is 2.0.14.15.31.0 or later.	AES-256-GCM.	Local key.
PolarDB-X 2.0	Database version is polardb-2.5.0_5.4.20-20250714_xcluster8.4.20-20250703 or later.	AES-128-GCM. SM4-128-GCM.	Local key.

Procedure

When you log on to the DSC console for the first time after activating your instance, you must complete the following steps to use the column encryption feature: Authorize DSC to access cloud resources, synchronize database assets, execute a sensitive data detection task, and enable the column encryption feature.

Step 1: Grant DSC permissions to access cloud resources

After you complete the authorization, the DSC instance can access resources from cloud services such as OSS, RDS, and MaxCompute.

Log on to the Data Security Center console.
In the RAM Authorization dialog box, click Authorize Now.

Step 2: Sync database assets

Before you can use DSC to detect sensitive data in cloud products such as RDS and PolarDB or to audit database activities, you must first synchronize your assets.

In the navigation pane on the left, choose Asset Center.
On the Asset Center page, click Asset synchronization.
Note
After you purchase a DSC instance, a cloud asset list sync task runs automatically the first time you log on to the console. No manual operation is required. DSC automatically scans and syncs the asset list at midnight every day.

Step 3: Enable data classification

To enable the column encryption feature, you must first authorize a database connection and complete a data detection task. DSC supports Connect and Account Logon.

Note

You can select a connection method based on the supported database types and your data security needs.

If your database type supports one-click connection and you do not need to use the database as a destination database for a data masking task, use the one-click connection method.
If you want to use the database as a destination database for a data masking task, you must use the username and password connection method and connect to the database with an account that has read and write permissions.

Data asset types supported by one-click connection and username and password connection

Connection type

Description

Supported data asset types

One-click connection

Connect to the database with a single click in the console.

During the connection process, DSC automatically creates a read-only account in the target data asset. The account name starts with sddp_auto. DSC uses this account to connect to the target database for data detection tasks. Because this account has only read-only permissions, a database authorized using the one-click connection method cannot be the destination database for data masking tasks.

RDS:
- MySQL
- SQL Server (not supported for read-only instances)
- MariaDB (not supported for read-only instances)
PolarDB:
- MySQL
PolarDB-X 1.0 (DRDS)
PolarDB-X 2.0 (not supported for read-only instances)
OSS
TableStore
MaxCompute
SLS

Credential-based connection

Connect to the database by manually entering the database account and password.

If you connect to the database using a read-only account, you can perform sensitive data detection, data masking, and audit tasks on the database. However, the database cannot be the destination database for data masking tasks.
If you connect to the database using an account that has read and write permissions, the database can be the destination database for data masking tasks to store masked data.

Structured data:
RDS, PolarDB, PolarDB-X (formerly DRDS), PolarDB-X 2.0, MongoDB, OceanBase, and self-managed databases
Big data:
AnalyticDB for MySQL and AnalyticDB for PostgreSQL (also known as AnalyticDB for PG)

In the navigation pane on the left, choose Asset Center.
In the Structured Data area on the left, click the data type for which you want to configure column encryption.
Click in the Classification and Grading column of the target asset instance.
Note
Make sure that a database is created for the database instance and that the Instance Status is Running. If a database is not created, you cannot enable the data classification feature or create detection tasks.

In the Enable Classification and Grading dialog box, configure the parameters.

Configuration Item	Description
Activation Method	Configure the account information that is used to connect to the database for data detection. Two methods are supported: Automatically create database accounts : DSC automatically creates a read-only account that starts with the `sddp_auto` prefix in the target data asset. DSC uses this account to connect to the target database and perform data detection tasks. Note This method is available only for data types that support one-click enablement. Manually enter username and password: Enter the account and password that you use to connect to the database.
Authorization Scope	The authorization scope for data detection. Entire data source. Manage authorization scope in the data source list: Select the desired authorization scope.
Automatically create and start a default scan task	If you select this option, DSC automatically creates a default scan task after the database is successfully connected. On the Classification and Grading > Tasks > Identification Tasks tab, you can click Default Tasks to view the execution status of the scan task. For more information, see Scan for sensitive data using a detection task.
Automatically connect to new databases.	If you select this option, DSC automatically connects to new databases that are detected in your database instance after a manual or automatic asset sync.

After you complete the configuration, click OK.

Step 4: View information about the database to be encrypted

After the data detection task is complete, you can view information about the database instances that were successfully added to DSC, such as the total number of columns, column encryption status, and database account information.

In the navigation pane on the left, choose Risk Governance > Column Encryption.

You can view the following information on the Column Encryption page. You can use the search component above the database list to search for a database instance based on criteria such as Asset Type, encryption status (encrypted columns, unencrypted columns, or encryption failed), and sensitivity level.

Sensitivity level descriptions

Sensitivity level	Description
N/A	No sensitive information included in the current identification template is detected.
S1	Non-sensitive data. In most cases, the disclosure of this type of data does not cause harm. Examples: provinces, cities, and product names.
S2	Moderately sensitive data. This type of data is not suitable for disclosure. The disclosure of this type of data causes low-level harm. Examples: names and addresses.
S3	Highly sensitive data. This type of data has a high sensitivity level. The disclosure of a small amount of this type of data causes serious harm. Examples: identity documents, account passwords, and database information.
S4	Core confidential data. This type of data must not be disclosed under any circumstances. Examples: genes, fingerprints, and iris information.

Page information	Description
Columns	The total number of columns in the tables of database instances that are successfully connected to DSC.
Sensitive Data (S3 and Higher)	Columns with a sensitivity level of S3 or higher in the data detection results. This includes information about sensitive columns, encrypted columns, unencrypted columns, and columns that failed to be encrypted.
Accounts	Total Accounts: Each account in each database is counted as one database account. For example, if database A and database B both have an account named C, the database account count is two. Accounts For Which No Encryption Configured: When no columns in the database are encrypted, the account permission is Accounts For Which No Encryption Configured. Plaintext Permissions or Ciphertext Permission count: When you enable column encryption for a database, you can set the permissions for a database account to access encrypted column data. You can click any number in the statistics items above or click Permission Settings, and in the Permission Settings panel, you can search for and view all account information for the target database instance to confirm that different access permissions are set for different database accounts.
List information	Displays information such as the DSC Instance name, Asset Type, Region, Encryption Algorithm, Plaintext Permission Accounts, and Encryption Check. You can configure column encryption only for instances where the encryption check is Passed. The Encryption Check result is Failed. If the database version is incompatible, click Upgrade in the Encryption Check column to go to the corresponding upgrade page in the RDS or PolarDB console and upgrade the database version. For more information, see FAQ about check failures. After you complete a version upgrade or status update, you need to complete the Asset synchronization operation in the DSC console to sync the latest database information. In the navigation pane on the left, select Asset Center, and then on the Authorization Management tab, click Asset Authorization Management. On the Asset Authorization Management panel, in the left-side product name navigation bar, click the target instance type (RDS or PolarDB), and then click Asset synchronization.

Step 5: Configure column encryption

After you confirm the information of the target database instance and the Encryption Check status is Passed, you can configure column encryption.

Enable one-click encryption

Before you enable one-click encryption for a database, the encryption algorithm and method are not configured, and you cannot enable encryption for individual columns.

DSC provides three methods to enable column encryption.
- Click Rapid Encryption above the database instance list to configure column encryption for all unencrypted columns.
- In the Actions column of the target database instance, click Rapid Encryption to configure column encryption.
- On the Asset Center page, click in the Column Encryption column of the target database instance.
In the Encryption Configuration panel, select the Asset Type, Instance name, Encryption Algorithm, Encryption Method, and Plaintext Permission Accounts. Then, select the target Databases, Table, and Column for encryption and click OK.
Note the following parameter descriptions:
- Encryption Method
  If you set Encryption Method to KMS Key, you must first create a symmetric key in Key Management Service (KMS).
  Important
  After you configure column encryption, if you change the encryption method, DSC restarts the encryption task. During the restart, data in the originally encrypted columns is stored in plaintext, which creates a security risk of data exposure. To avoid affecting data security, choose a definitive encryption method.
- Plaintext Permission Accounts
  After you configure encryption, all accounts for the database have ciphertext permission by default.
  - By default, database accounts for PolarDB for MySQL, PolarDB for PostgreSQL, PolarDB for PostgreSQL (Compatible with Oracle), RDS for PostgreSQL, and PolarDB-X 2.0 have Ciphertext Permission (JDBC Decryption). These accounts access ciphertext by default and can access plaintext data only after the data is decrypted by an always-confidential client.
  - If the Encryption Method for an RDS for MySQL database is set to KMS Key, the database account has Ciphertext Permission (JDBC Decryption) by default.
  - If the Encryption Method for an RDS for MySQL database is set to Local Key, the database account has Ciphertext Permission (No Decryption Permission) by default and can only access ciphertext data.
  You can add accounts to an allowlist to grant them plaintext permission, which allows them to directly access the plaintext of encrypted columns.
  Important
  When you authorize a database connection to DSC, a database account is used. If you use the one-click connection method, a database account with the prefix sddp_auto is automatically created. If you use the username and password connection method, you must provide a database account. This database account allows DSC to read database data for sensitive data classification scans. Therefore, to ensure that DSC can continue to classify the latest data in the database, you must grant this database account plaintext permission.

Other operations

Modify database account permissions

Except for accounts that are granted Plaintext Permissions, all other accounts in the database instance have ciphertext permission. You can modify the account permissions to Plaintext Permissions, Ciphertext Permission (No Decryption Permission), or Ciphertext Permission (JDBC Decryption) based on your business scenario.

On the Risk Governance > Column Encryption page, click Permission Settings in the Accounts area.
Alternatively, you can click Edit in the Actions column of the instance list. In the Edit panel, click Configure next to Account Permissions.
In the Permission Settings panel, search for the target instance and account to view their current permissions.
Note
If a new database account is not displayed in the list, perform an Asset synchronization and then check again.
Click Modify Permissions in the Actions column for the target account.
You can also select multiple target accounts that have the same permissions and click Batch Modify Permissions at the bottom of the list.
In the Modify Permission dialog box, select the target permission and click OK.

Modify encrypted column configuration

After you configure encryption, you can perform the following operations:

In the instance list, expand the target instance. In the database list, find the target Databases, Table, and Column, and click Enable Encryption or Disable Encryption to configure encryption for a single column.
In the Actions column of the instance list, click Edit. Then, in the Edit panel, you can modify the encryption algorithm, encryption method, and the scope of encrypted columns.
- Click Modify next to Encryption Algorithm or Encryption Method to update the algorithm or method.
  Important
  Changing the encryption method restarts the encryption task. During the restart, data in the originally encrypted columns is stored in plaintext, which creates a security risk of data exposure. Proceed with caution.
- In the list of databases for which you can configure encrypted columns, find the target Databases, Table, and Column. Click Enable Encryption or Disable Encryption to update the scope of encrypted columns.

MySQL column encryption example

You can verify access to encrypted column data based on the configured column encryption and database account permissions. The column encryption configuration is effective if an account with ciphertext permission accesses an encrypted column and receives ciphertext.

Note

RDS for PostgreSQL database accounts support only Plaintext Permission and Ciphertext Permission (JDBC decryption). The method to verify encrypted column data is the same as that for RDS for MySQL. The following section uses RDS for MySQL as an example to show how to verify access to encrypted column data in an RDS database.

RDS for MySQL database column encryption example

Prerequisites

A database instance of RDS for MySQL 8.0 is connected to DSC, and sensitive data classification is complete. The scan result is shown in the following figure.

Configure column encryption

Follow the procedure in Enable one-click encryption to configure column encryption for the database instance:

Enable encryption for the phone number column (phone) in the users data table.
Set the following access permissions for the database accounts.

Use database accounts to access encrypted column data

Use an account with Plaintext Permissions to log on to the database. For more information, see Log on to an RDS database using DMS.
Execute a SELECT statement to view the data table. The encrypted column returns plaintext.
Switch to the account with Ciphertext Permission (No Decryption Permission) and log on to the database. Execute a SELECT statement to view the data table. The encrypted column returns ciphertext.
Log on to the database using the account with Ciphertext Permission (JDBC Decryption) and execute a SELECT statement to view the data table. The encrypted column returns ciphertext.

PolarDB for MySQL database column encryption example

Prerequisites

A database cluster of PolarDB for MySQL 5.7 is connected to DSC, and sensitive data classification is complete. The scan result is shown in the following figure.

Configure column encryption

Follow the procedure in Enable one-click encryption to configure column encryption for the database instance:

Enable encryption for the password column (password) in the user3 data table.
Set the following access permissions for the database accounts.

Use database accounts to access encrypted column data

Because DMS connects to a PolarDB for MySQL cluster using the primary endpoint, the column encryption policy does not take effect. This example uses the command line to connect to the PolarDB for MySQL cluster through the database proxy endpoint to verify the column encryption result.

Install a version of MySQL on your server that is compatible with your operating system.
Connect to the database cluster using the following command.
```
mysql -h<endpoint> -P<port> -u<username> -p<password>
```
- Endpoint and Port: Use the cluster endpoint and make sure that your server can access the endpoint. For more information, see Configure a database proxy and Manage endpoints.
- Username and password: This example uses the database accounts and passwords that have Plaintext Permission and Ciphertext Permission (JDBC decryption).
Example connection commands:
- Use an account with plaintext permission: mysql -hpc-bp1fd7********v6f.rwlb.rds.aliyuncs.com -P3306 -usddp_polardb -pH********4
- Use an account with Ciphertext Permission (JDBC decryption): mysql -hpc-bp1fd7********v6f.rwlb.rds.aliyuncs.com -P3306 -usddp_03 -pP********3
Execute the following commands to view the data table.
1. Use the use <database_name>; command to enter the target database. In this example, the sddp_test database is selected.
```
use sddp_test;
```
2. Execute a SELECT statement to view the data table.
```
SELECT * FROM user3 LIMIT 0, 3;
```
Example results:
- For an account with plaintext permission, the encrypted column returns plaintext.
- For an account with Ciphertext Permission (JDBC decryption), the encrypted column returns ciphertext.

Access plaintext of encrypted columns after decryption by a client

To use a client to access the plaintext of encrypted database columns, you can use an account with Ciphertext Permission (JDBC Decryption) to decrypt and access the data using an always-confidential client for Java or Go.

Programming language	Supported database types	References
Java	RDS for MySQL RDS for PostgreSQL PolarDB for MySQL PolarDB for PostgreSQL PolarDB for PostgreSQL (Compatible with Oracle) PolarDB-X 2.0	Integrate EncJDBC (Supports decryption using local keys and KMS keys)
Go	RDS for MySQL PolarDB for MySQL PolarDB-X 2.0	Integrate the Go driver (Supports decryption using local keys only)

FAQ for check failures

The RDS or PolarDB database version is not supported
Click Go To Upgrade in the Encryption Check column. You are redirected to the corresponding upgrade page in the RDS or PolarDB console to upgrade the database version.
Unsupported RDS minor engine version or PolarDB database proxy version
If the RDS database instance is a read-only instance
When a read-only instance is created, data is replicated from the primary instance to ensure data consistency. Updates to the primary instance are automatically synchronized to all read-only instances. Therefore, you can configure column encryption on the primary instance.
The database instance status is not Running
You cannot configure column encryption for database instances that are paused or under maintenance. You can start the instance or wait for the maintenance to complete. After you confirm that the database instance status is Running, you can configure column encryption.

References

For more information about the features and principles of database column encryption, see Column Encryption Overview.
For detailed instructions on database authorization and connection, see General Database Authorization.
To learn how to view and correct sensitive data detection results, see Scan for sensitive data using a detection task.
If data in sensitive database columns changes after authorization, you must perform a rescan. For more information, see Scan for sensitive data using a detection task.