If you want to protect specific data in your ApsaraDB RDS for MySQL instance, you can use the always-confidential feature of ApsaraDB RDS for MySQL. This feature provides an encryption solution that prevents unauthorized access to your data and ensures compliance with data protection regulations. This topic describes the benefits of the always-confidential feature that is provided by ApsaraDB RDS for MySQL to help you manage and protect sensitive data in an efficient manner.
Supports all SQL statements and adapts to your application without code modification
You can run a few commands to use the always-confidential feature without the need to modify existing code. If you use the feature, you do not need to perform additional encryption and decryption operations on the client.
The feature supports all SQL statements. You can execute SQL statements on your RDS instance for which the feature is enabled without the need to modify the SQL statements. For example, you can execute an SQL statement in plaintext to perform a fuzzy match.
The feature is compatible with existing RDS instances. You can enable the feature for an existing RDS instance. You can also perform a rollback.
The feature supports tools such as Data Transmission Service (DTS) and Data Management (DMS) to migrate workloads of your application without the need for code modification.
Returns all data in ciphertext after a data protection rule is enabled
You can configure a data protection rule based on your business requirements. In the rule, you can specify the data that you want to protect and a data protection method, such as encryption. For more information, see Manage data protection rules. This way, the RDS instance with the feature enabled automatically identifies the data that you want to protect during a query, processes the specified data based on the protection method specified for the data protection rule, and then returns the query result. All users, including database developers, O&M personnel, and third-party partners, cannot view the protected data in plaintext in the query result even if the relevant account credentials are leaked.
The feature determines whether to protect the results of various calculations that involve the protected data, such as addition, subtraction, aggregation, and JOIN operations based on the specified data protection rule and the security of the involved source data.
Encrypts data at table and column levels
The feature allows you to specify the data that you want to protect at table and column levels for a data protection rule.
For example, if you specify Column A as a protected column and use the encryption method to protect the column, the feature uses the key that you provide to automatically encrypt the data in Column A. After the encryption, only the users who have the key can decrypt the ciphertext and obtain the plaintext data of Column A.
Has minimal performance overhead
RDS instances with the feature enabled have as minimal performance overhead as RDS instances with the feature disabled.
The query performance of RDS instances with the feature enabled is inversely proportional to the size of the data that is encrypted. If the size of the encrypted data is large, the performance of the RDS instances decreases.
Allows you to specify a key and automatically destroys the key after the feature is disabled
You can use a trusted or third-party key management service to obtain a key and dynamically pass the key to EncJDBC by using parameter settings or other methods. EncJDBC is a MySQL JDBC for the always-confidential feature. For more information about how to use the feature from EncJDBC, see Use the always-confidential feature from EncJDBC.
The keys which are available only to data owners take effect in queries through a secure distribution mechanism and are automatically revoked after use, preventing the possibility of being stolen.
The keys can be updated and rotated.
Supports multiple connection methods from a client
You can use the feature from a client by using client drivers and SDKs in programming languages such as Java, Go, and Python.
A client driver automatically completes decryption without the need to modify the configurations of an application.
An SDK is provided to use the feature. You can call API operations to process ciphertext data in a flexible manner.
The data protection method that can be specified in a data protection rule is encryption.
The client supports decryption of ciphertext in query results, but does not support encryption in SQL statements.