Prerequisites

The PolarProxy version in PolarDB is 2.8.36 or later. For information about how to view or update the version of your PolarProxy, see Minor version updates.

Background information

The regulatory requirements and industrial standards nowadays necessitate the adoption of robust security measures that span the entire lifecycle of data, and the traditional third-party security hardening and client-based encryption no longer suffice due to their deficiencies in cost, architecture adaptation, and database performance. In this context, databases that support end-to-end encryption is gaining popularity across the industry. PolarDB also provides PolarDB Always Encrypted as the answer to such requirements.  

This feature can best deliver its advantages in the following scenarios:

• Storing your data in untrusted environments: These scenarios include storing your data on the cloud or in on-premises data centers of your customers, which may lead to unauthorized access by the cloud service provider and the O&M personnel of your organization and your customers.  

• Using data management services by third-party providers: This may expose your business secrets to the service providers. This is especially risky if your data includes sensitive data such as personal identification information and genetic data.  

• Sharing your data with other organizations: These scenarios include collaborative risk management and international service provision, where organizations involved are restricted by data compliance requirements and cannot share plaintext data directly. They also include the scenarios where you conduct marketing with other companies and want to protect your data due to the competitive relationships.

Features

• All SQL operators are supported. You can adapt your application to this feature without code modification. You only need slight configurations for your application to switch to EncJDBC, without modifying the business code of the application. For more information, see Integrate EncJDBC.

• An SDK is provided for you application to leverage this feature through API operations. For more information, see Integrate the EncDB SDK.

• Query results are encrypted, ensuring the security of your database accounts and business data. You can configure rules to encrypt only specific data. When PolarDB Always Encrypted queries the specified data, it performs encryption by using your custom master key (CMK), so that the data is only visible to users who have the key. This way, even in the case of database account leakage, the intruder cannot view the data in query results. Even the development and O&M personnel of your database cannot obtain the query results in plaintext.

• You can specify the CMK that is used to encrypt data. You can use proprietary or third-party key management services and dynamically pass the key to the database client. The keys which are only available to authorized users take effect in queries through a secure distribution mechanism and are automatically revoked after use, preventing the possibility of being stolen.

• The performance only slightly deteriorates when PolarDB Always Encrypted is enabled. The performance of data processing with PolarDB Always Encrypted enabled is inversely proportional to the number of data columns that are encrypted. The more encrypted data a query involves, the lower the performance. In the TPC-C tests, when 20%, 50% and 100% of the columns are encrypted, the performance is respectively 93%, 86%, and 79% of when PolarDB Always Encrypted is not enabled. For more information about results of performance tests, see Performance test.

Scenarios

We developed PolarDB Always Encrypted in a bid to deliver the next-generation database framework and products that come with the capabilities to ensure data confidentiality and integrity. With an optimal design, the database can provide security capabilities while ensuring high performance, stability, and cost-efficiency.

The following are several typical scenarios for PolarDB Always Encrypted:

• Encrypting data to be transmitted from applications to databases

  In most cases, application providers are the owners of data, who commonly want to prevent the database service and its O&M personnel from accessing the business data.

• Encrypting data to be transmitted from users to applications

  In some applications for personal use, part of the data such as those related to health and finance, is owned by the users, who commonly expect the applications not to be able to access the data itself in plaintext when managing and analyzing their data.

• Sharing encrypted data in a secure and reliable manner

  The key used for encryption is available only to the data owners. When the data owners need to share data with others, they want to do it without exposing the keys, thereby meeting compliance requirements.

Limitations

• The encryption rules do not take effect on primary endpoints. You need to use the cluster endpoint or a custom cluster endpoint.

• The PolarDB Always Encrypted feature supports only COM_QUERY commands. Other command types such as COM_STMT_PREPARE are not supported. EncJDBC only supports Text Protocol. Binary Protocol is not supported. Operations that leverage prepared statements are always completed through Text Protocol queries.

• PolarDB Always Encrypted and dynamic masking cannot be enabled at the same time.

• If dynamic masking rules exist, to enable PolarDB Always Encrypted, you need to delete all existing masking rules and create new rules whose type is encryption.

• CMKs cannot be modified after they are specified. The entire cluster uses the same CMK.

• If you bypass SecureGW and directly connect to the native MySQL kernel, the encryption feature does not take effect. We recommend that you avoid doing this. To minimize the impact of unauthorized access, we also recommend that you enable other security features like log auditing.

Usage

For more information, see Mange encryption rules.