This topic describes how to configure column encryption rules and role permissions for an ApsaraDB RDS for MySQL instance in the ApsaraDB RDS console. Column encryption is the basic edition of the always-confidential database feature.
Prerequisites
The RDS instance runs a major engine version of MySQL 5.7 or MySQL 8.0 and a minor engine version of 20240430 or later.
NoteFor more information, see Update the minor engine version.
The always-confidential database feature is enabled for the RDS instance. For more information, see Use the always-confidential database feature.
A privileged account is used to configure data protection rules.
Feature description
To implement column encryption, you must complete the following configurations:
Column encryption rule: You must specify the columns that you want to encrypt for a database.
Role permissions: You must configure role permissions to allow users to view plaintext data and ciphertext data.
Before you configure a column encryption rule, we recommend that you configure role permissions to allow specific users to view plaintext data. This prevents impacts on the running business system.
If you do not configure role permissions for database accounts, the system automatically assigns the permissions of other administrators to the database accounts. This way, the database accounts can be used to view ciphertext data. If you configure column encryption rules but do not configure role permissions, garbled characters exists in the encrypted data in your business system.
Usage notes
After you configure and enable a data protection rule, the rule takes effect on all databases on an RDS instance, and you do not need to repeatedly configure the rule.
We recommend that you use separate database accounts to manage data protection rules and online applications. Do not grant management permissions on online applications unless necessary.
Exercise caution when you grant the read and write permissions on the mysql.encdb_sensitive_rules and mysql.encdb_auth_users tables. The modification of the tables may allow attackers to bypass always-confidential protection.
Procedure
Log on to the ApsaraDB RDS console and go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the instance ID.
In the left-side navigation pane, click Data Security.
Click the Column encryption tab to configure role permissions and column encryption rules.
Configure or modify role permissions
Click Role permission settings, find the role that you want to manage, and then click Configure Account or Modify Account in the Actions column.
NoteThe following list describes the role permissions:
Super administrator: has the permissions to view all sensitive data in plaintext.
O&M administrator: has the permissions to view sensitive data in ciphertext. You can use this role to create a custom dedicated key to implement real-time data encryption and decryption.
Other administrator: does not have the permissions to view plaintext data. You can use this role to view only ciphertext data. You cannot use this role to decrypt data.
In the Configure Account dialog box, configure the following parameters and click OK.
Parameter
Required
Description
Expiration date
Yes
The expiration time of the account. This parameter is available only when the role name is Super administrator.
When the expiration time arrives, the permissions of super administrators are automatically reset to the permissions of other administrators that do not have the permissions to view plaintext data.
Related accounts
No
Do not select or select multiple database accounts from the drop-down list.
Custom Account
No
Custom accounts are similar to related accounts. You must specify at least one database account name in the text box. Separate multiple account names with commas (,).
You can adjust role permissions in the Configure Account dialog box based on your business requirements in a flexible manner. For example, you can go to the Configure Account dialog box and configure user A as a super administrator and then go to the Configure Account dialog box again and configure user B as a super administrator. If you want to revoke the role permissions of a user, you must configure the role as Other administrator.
Add or modify column encryption rules
Click List encryption rules. Click Newly added or find the rule that you want to manage. Then, click Modify in the operation column.
In the dialog box that appears, configure the following parameters and click OK.
Parameter
Required
Description
Rule Name
Yes
The name of the encryption rule. The name can be up to 30 characters in length.
Database Name
No
The name of the database to which you want to apply the rule. Valid values:
All of them: applies the rule to all databases on the instance.
contain: applies the rule only to specific databases. You must specify at least one database. Separate multiple databases with commas (,).
Table Name
No
The name of the table to which the rule is applied. Valid values:
All of them: applies the rule to all tables of the instance.
contain: applies the rule only to specific tables. You must specify at least one table in the text box on the right. Separate multiple tables with commas (,).
Field Name
No
The name of the column to which you want to apply the rule. Valid values:
All of them: applies the rule to all columns of the instance.
contain: applies the rule only to specific columns. You must specify at least one column in the text box on the right. Separate multiple columns with commas (,).
Delete column encryption rules
On the Column encryption tab, click List encryption rules, find the rule that you want to delete, and then click Delete in the operation column.