"数据库行级与列级加密（RLS/Cell Encryption）最佳实践"

数据库行级与列级加密（RLS/Cell Encryption）最佳实践概述通过RLS限制行级可见性，列级加密保护敏感字段，结合密钥治理与审计，实现最小暴露的数据访问模型。行级安全（示例：PostgreSQL RLS）ALTER TABLE accounts ENABLE ROW LEVEL SECURITY; CREATE POLICY tenant_isolation ON accounts USING (tenant_id = current_setting('app.tenant_id')::uuid); 列级加密（应用层信封加密）import { randomBytes, createCipheriv, createDecipheriv } from 'crypto' type CipherText = { iv: string; tag: string; data: string } function encryptField(plain: string, key: Buffer): CipherText { const iv = randomBytes(12) const cipher = createCipheriv('aes-256-gcm', key, iv) const enc = Buffer.concat([cipher.update(Buffer.from(plain, 'utf8')), cipher.final()]) const tag = cipher.getAuthTag() return { iv: iv.toString('base64url'), tag: tag.toString('base64url'), data: enc.toString('base64url') } } function decryptField(ct: CipherText, key: Buffer): string { const iv = Buffer.from(ct.iv, 'base64url') const tag = Buffer.from(ct.tag, 'base64url') const data = Buffer.from(ct.data, 'base64url') const decipher = createDecipheriv('aes-256-gcm', key, iv) decipher.setAuthTag(tag) const out = Buffer.concat([decipher.update(data), decipher.final()]) return out.toString('utf8') } 透明解密与最小化访问type Account = { id: string; tenant_id: string; email_enc: CipherText } async function readAccountEmail(acc: Account, k: Buffer, callerTenant: string): string | null { if (acc.tenant_id !== callerTenant) return null return decryptField(acc.email_enc, k) } 密钥治理与审计使用KMS/Vault管理数据密钥，应用仅持有短期会话密钥记录解密尝试与失败事件，审计访问频率与来源定期轮换密钥并进行重加密（在线或离线）通过RLS与列级加密协同，可在不影响查询灵活性的前提下提升数据访问安全与合规性。