The always-confidential feature encrypts the data columns that you want to protect in your ApsaraDB RDS for MySQL instance. This prevents unauthorized users from accessing the plaintext of the protected data columns by using software and tools on the cloud platform. This also ensures that the protected data columns are available but invisible to database users. This topic describes how to enable the always-confidential feature.
Prerequisites
Your RDS instance runs MySQL 5.7 or MySQL 8.0 and a minor engine version of 20240731 or later.
For more information, see Update the minor engine version.
Impacts
Enabling the always-confidential feature does not affect the performance of your RDS instance. However, after you enable the always-confidential feature, if you configure a data protection rule and perform operations on the data columns that are specified in the rule, the performance of the RDS instance may be compromised.
If you want to use the always-confidential feature in your business in which data is not only read but also written, you must integrate the drivers provided by Alibaba Cloud into your business. Otherwise, encrypted data may be written to databases and cannot be operated.
Usage notes
We recommend that you configure data protection rules before you use the always-confidential feature. For more information, see Manage data protection rules.
We recommend that you enable both the transparent data encryption (TDE) feature and the always-confidential feature. This helps protect data stored in disks in a more secure manner. For more information, see Configure TDE.
The account that you use to enable the always-confidential feature and configure data protection rules must be a privileged account.
Billing rules
N/A
Procedure
Create an RDS instance that meets the prerequisites. For more information, see Create an ApsaraDB RDS for MySQL instance, Instance types for standard primary ApsaraDB RDS for MySQL instances (original x86 architecture), and Instance types for economy primary ApsaraDB RDS for MySQL instances (original ARM architecture).
NoteIf your existing RDS instance meets the prerequisites, skip this step.
Create a privileged account. For more information, see Create an account on an ApsaraDB RDS for MySQL instance.
Create a database. For more information, see Manage databases.
Log on to the ApsaraDB RDS console and go to the Instances page. In the top navigation bar, select the region in which your RDS instance resides. Then, find the RDS instance and click the ID of the RDS instance.
Enable the always-confidential feature.
WarningIf you enable the always-confidential feature, your RDS instance restarts. We recommend that you enable the feature during off-peak hours.
In the left-side navigation pane, click Parameters. On the Modifiable Parameters tab, search for the loose_encdb parameter and set this parameter to ON. In the upper-right corner, click Apply Changes, select the effective time, and then click OK.