PolarDB：Manage encryption rules

Prerequisites

The PolarProxy version in PolarDB is 2.8.18 or later. For information about how to view or update the version of your PolarProxy, see Minor version update.

Limitations

• The encryption rules do not take effect on primary endpoints. You need to use the cluster endpoint or a custom cluster endpoint.

• The PolarDB Always Encrypted feature supports only COM_QUERY commands. Other command types such as COM_STMT_PREPARE are not supported. EncJDBC only supports Text Protocol. Binary Protocol is not supported. Operations that leverage prepared statements are always completed through Text Protocol queries.

• PolarDB Always Encrypted and dynamic masking cannot be enabled at the same time.

• If dynamic masking rules exist, to enable PolarDB Always Encrypted, you need to delete all existing masking rules and create new rules whose type is encryption.

• CMKs cannot be modified after they are specified. The entire cluster uses the same CMK.

• If you bypass SecureGW and directly connect to the native MySQL kernel, the encryption feature does not take effect. We recommend that you avoid doing this. To minimize the impact of unauthorized access, we also recommend that you enable other security features like log auditing.

Create an encryption rule

1. Log on to the PolarDB console.

2. In the upper-left corner of the console, select the region in which the cluster that you want to manage is deployed.

3. Find the cluster and click its ID.

4. In the left-side navigation pane, choose Settings and Management > Security.

5. On the page that appears, click the Dynamic Data Masking/Encryption tab.

6. On the Dynamic Data Masking/Encryption tab, click Add in the upper-left corner.

7. In the Create Rule dialog box, configure the parameters.

   Table 1. Configure encryption rules

   Parameter		Required	Description
   Basic Information	Rule Name	Yes	The name of the encryption rule. The name can be up to 30 characters in length.
   	Description	No	The description of the rule. The description can be up to 64 characters in length.
   	Enable/Disable	N/A	Enable/Disable Note This switch is turned on by default.Enable/Disable
   	Endpoint	Yes	The endpoint to which the current rule is applied.
   Configurations	Database Account Name	No	The name of the database account to which the rule is applied. Valid values: All Accounts: indicates that the rule applies to all accounts of the cluster. The text box on the right must be left empty. Include: indicates that the rule applies only to specified database accounts. You need to specify at least one database account name in the text box on the right. Separate multiple accounts with commas (,). Exclude: indicates that the rule applies only to database accounts that are not specified in this section. You need to specify at least one database account name in the text box on the right. Separate multiple accounts with commas (,). Note The database account names can be in the following formats: account name. Example: user account name@full IP address. Example: user@10.1.1.1 account name@IP address with wildcard characters. Example: user@10.1.1.%, user@%.1.1.1, or user@1.%.1 account name@IP address/subnet mask. Example: user@10.1.1.0/255.255.255.0
   	Database Name	No	The name of the database to which the rule is applied. Valid values: All Databases: indicates that the rule applies to all the databases in the cluster. The text box on the right need to be left empty. Include: indicates that the rule applies only to specified databases. You need to specify at least one database name in the text box on the right. Separate multiple database names with commas (,).
   	Table Name	No	The name of the table to which the rule is applied. Valid values: All tables: indicates that the rule applies to all the tables in the cluster. The text box on the right must be left empty. Include: indicates that the rule applies only to specified tables. You need to specify at least one table name in the text box on the right. Separate multiple table names with commas (,).
   	Column Name	Yes	The names of the fields to which the rule is applied. You can specify more than one field name and separate multiple field names with commas (,).

8. In the message that appears, click OK.

Enable or disable a rule

1. Log on to the PolarDB console.

2. In the upper-left corner of the console, select the region in which the cluster that you want to manage is deployed.

3. Find the cluster and click its ID.

4. In the left-side navigation pane, choose Settings and Management > Security.

5. On the page that appears, click the Dynamic Data Masking/Encryption tab.

6. Find the rule and turn the switch in the Enable/Disable column on or off.

   

   Note

   • You can select multiple rules in the list and then click Enable or Disable at the bottom of the list to batch enable or disable the rules.

   • Disabled rules are not deleted. You can enable disabled rules when needed. Disable You can Enable disabled rules when needed.

7. In the dialog box that appears, click OK.

Modify an encryption rule

1. Log on to the PolarDB console.

2. In the upper-left corner of the console, select the region in which the cluster that you want to manage is deployed.

3. Find the cluster and click its ID.

4. In the left-side navigation pane, choose Settings and Management > Security.

5. On the page that appears, click the Dynamic Data Masking/Encryption tab.

6. Find the target rule and click Modify in the Actions column. In the dialog box that appears, configure the parameters.

7. Click OK.

Delete an encryption rule

1. Log on to the PolarDB console.

2. In the upper-left corner of the console, select the region in which the cluster that you want to manage is deployed.

3. Find the cluster and click its ID.

4. In the left-side navigation pane, choose Settings and Management > Security.

5. On the page that appears, click the Dynamic Data Masking/Encryption tab.

6. Find the target rule and click Delete in the Actions column.

7. In the dialog box that appears, click OK.