Enable the always-confidential database feature - ApsaraDB RDS

The always-confidential database feature encrypts the sensitive data columns in your ApsaraDB RDS for PostgreSQL instance. This prevents unauthorized users from accessing the plaintext of the protected data columns by using software and tools in the cloud platform. This also ensures that the sensitive data columns are available but invisible to database users. By default, the always-confidential database feature is integrated with ApsaraDB RDS for PostgreSQL. However, you must complete the required configurations before you use the feature. This topic describes how to enable the always-confidential database feature for your RDS instance.

Supported instance types

The always-confidential database feature is supported for all standard RDS instances regardless of the instance types. The feature provides two editions to meet the requirements of Intel SGX-based security-enhanced instance types.

Edition	Instance family
Basic edition of the always-confidential database feature	Instance types other than the Intel SGX-based security-enhanced instance types
Hardware-enhanced edition of the always-confidential database feature (Intel SGX-based)	Intel SGX-based security-enhanced instance types

The security levels of the always-confidential database feature vary based on the edition of the feature. For more information, see Security levels provided by the always-confidential database feature.

Note

To use the basic edition of the always-confidential database feature, make sure that the minor engine version of the RDS instance is 20230830 or later.
Serverless RDS instances are not supported.
YiTian RDS instances are not supported.

For more information about the supported instance types, see Primary ApsaraDB RDS for PostgreSQL instance types. The following section lists the instance types that are supported for the hardware-enhanced edition of the always-confidential database feature (Intel SGX-based).

Intel SGX-based security-enhanced instance types

The following table describes the regions in which Intel SGX-based security-enhanced instance types are available for purchase.

Region	Zone
China (Hangzhou)	Hangzhou Zone K
China (Shanghai)	Shanghai Zone B and Shanghai Zone L
China (Beijing)	Beijing Zone I and Beijing Zone K
China (Hong Kong)	Hong Kong Zone B and Hong Kong Zone D

RDS edition	Instance family	Instance type	Number of CPU cores and memory capacity	Encrypted memory	Maximum number of connections	Maximum IOPS	Storage capacity
RDS High-availability Edition	Intel SGX-based security-enhanced instance family	pg.x4t.medium.2c	2 cores, 8 GB	4 GB	400	For more information, see IOPS.	PL 1 ESSD: 20 GB to 64,000 GB PL2 ESSD: 500 GB to 64,000 GB PL3 ESSD: 1,500 GB to 64,000 GB General ESSD: 10 GB to 64,000 GB
		pg.x4t.large.2c	4 cores, 16 GB	8 GB	800
		pg.x4t.xlarge.2c	8 cores, 32 GB	16 GB	1,600
		pg.x4t.2xlarge.2c	16 cores, 64 GB	32 GB	3,200
		pg.x4t.4xlarge.2c	32 cores, 128 GB	64 GB	6,400

Prerequisites

An RDS instance is created based on security levels. For more information, see Create an ApsaraDB RDS for PostgreSQL instance.
A privileged account is created. For more information, see Create an account.

Procedure

Create a database for which you want to enable the always-confidential database feature. For more information, see Create a database.
After the database is connected by using the privileged account, execute the following SQL statement to install the extension that provides the always-confidential database feature and enable the feature:
Note
For more information about how to connect to an RDS instance, see Connect to an ApsaraDB RDS for PostgreSQL instance.
```
-- Install the EncDB extension.
CREATE EXTENSION encdb;
```

What to do next

Before you use the always-confidential database feature, you must define sensitive data based on your business requirements. For more information, see Define sensitive data.