All Products
Search

This Product

    ApsaraDB RDS:Enable the always-confidential database feature

    Document Center

    ApsaraDB RDS:Enable the always-confidential database feature

    Last Updated:Jun 28, 2024

    The always-confidential database feature is integrated with ApsaraDB RDS for PostgreSQL by default. However, you must complete some configurations before you use the feature. This topic describes how to enable the always-confidential database feature.

    Procedure

    1. Create an ApsaraDB RDS for PostgreSQL instance and purchase an instance type that supports the always-confidential database feature for the RDS instance. For more information, see Create an ApsaraDB RDS for PostgreSQL instance and Instance types for primary ApsaraDB RDS for PostgreSQL instances. The following mappings between always-confidential databases and instance types must be met:

      • Always-confidential database (hardware-enhanced edition): RDS instances that use Intel SGX-based security-enhanced instance types

        Intel SGX-based security-enhanced instance types

        The following table describes the regions in which Intel SGX-based security-enhanced instance types are available for purchase.

        Region

        Zone

        China (Hangzhou)

        Beijing Zone K

        China (Shanghai)

        Shanghai Zone B and Shanghai Zone L

        China (Beijing)

        Beijing Zone I and Beijing Zone K

        China (Hong Kong)

        Hong Kong Zone B and Hong Kong Zone D

        RDS edition

        Instance family

        Instance type

        Number of CPU cores and memory capacity

        Encrypted memory

        Maximum number of connections

        Maximum IOPS

        Storage capacity

        RDS High-availability Edition

        Intel SGX-based security-enhanced instance family

        pg.x4t.medium.2c

        2 cores, 8 GB

        4 GB

        400

        For more information, see IOPS.

        • PL1 ESSD: 20 GB to 64,000 GB

        • PL2 ESSD: 500 GB to 64,000 GB

        • PL3 ESSD: 1,500 GB to 64,000 GB

        pg.x4t.large.2c

        4 cores, 16 GB

        8 GB

        800

        pg.x4t.xlarge.2c

        8 cores, 32 GB

        16 GB

        1,600

        pg.x4t.2xlarge.2c

        16 cores, 64 GB

        32 GB

        3,200

        pg.x4t.4xlarge.2c

        32 cores, 128 GB

        64 GB

        6,400

      • Always-confidential database (basic edition): RDS instances that use other instance types

        Note

        • The minor engine version of the RDS instance must be 20230830 or later.

        • Serverless RDS instances are not supported.

        • YiTian RDS instances are not supported.

    1. Create a privileged account that has the extension installation permissions for the RDS instance. For more information, see Create an account.

    2. Create a database on the RDS instance. For more information, see Create a database.

    3. After the database is connected by using the privileged account, execute the following SQL statement to install the extension that provides the always-confidential database feature and enable the feature:

      Note

      For more information about how to connect to an RDS instance, see Connect to an ApsaraDB RDS for PostgreSQL instance. 

      -- Install the EncDB extension.
CREATE EXTENSION encdb;

    What to do next

    Before you use the always-confidential database feature, you must define sensitive data based on your business requirements. For more information, see Define sensitive data.