All Products
Search

This Product

    ApsaraDB RDS:Enable the always-confidential database feature

    Document Center

    ApsaraDB RDS:Enable the always-confidential database feature

    Last Updated:Feb 19, 2025

    The always-confidential database feature encrypts the data columns that you want to protect in your ApsaraDB RDS for MySQL instance. This prevents unauthorized users from accessing the plaintext of the protected data columns by using software and tools on the cloud platform. This also ensures that the encrypted data columns are invisible to database users but are available after decryption. This topic describes how to enable the always-confidential database feature.

    Prerequisites

    Your RDS instance runs MySQL 5.7 or MySQL 8.0 and a minor engine version of 20240731 or later.

    Note

    For more information, see Update the minor engine version.

    Impacts

    • Enabling the always-confidential database feature slightly affects the performance of your RDS instance. However, after you enable the always-confidential database feature, if you configure a data protection rule and perform operations on the data columns that are specified in the rule, the performance of the RDS instance may be compromised.

    • If you want to use the always-confidential database feature in your business in which data is not only read but also written, you must integrate the drivers provided by Alibaba Cloud into your business. Otherwise, encrypted data may be written to databases and cannot be operated.

    Usage notes

    • We recommend that you configure data protection rules before you use the always-confidential database feature. For more information, see Manage data protection rules.

    • We recommend that you enable the transparent data encryption (TDE) feature. This helps protect data stored in disks in a more secure manner. For more information, see Configure TDE.

    • The account that you use to enable the always-confidential database feature and configure data protection rules must be a privileged account.

    Billing rules

    This feature is provided free of charge.

    Procedure

    1. Create an RDS instance that meets the prerequisites. For more information, see Create an ApsaraDB RDS for MySQL instance, Instance types for standard primary ApsaraDB RDS for MySQL instances (original x86 architecture), and Instance types for YiTian primary ApsaraDB RDS for MySQL instances (original ARM architecture).

      Note

      If your existing RDS instance meets the prerequisites, skip this step.

    2. Create a privileged account. For more information, see Create an account on an ApsaraDB RDS for MySQL instance.

    3. Create a database. For more information, see Manage databases.

    4. Log on to the ApsaraDB RDS console and go to the Instances page. In the top navigation bar, select the region in which your RDS instance resides. Then, find the RDS instance and click the ID of the RDS instance.

    5. Enable the always-confidential database feature.

      Warning

      If you enable the always-confidential database feature, your RDS instance restarts. We recommend that you enable the feature during off-peak hours.

      In the left-side navigation pane, click Parameters. On the Modifiable Parameters tab, change the value of the loose_encdb parameter to ON. In the upper-right corner, click Apply Changes, select the effective time, and then click OK.

    References