How to Scale Data Encryption Across Millions of Services: A Practical Roadmap

Background

With growing regulatory pressure from the Cybersecurity Law and Personal Information Protection Law, enterprises must encrypt sensitive data at rest. While encryption functions are readily available in most programming languages, applying encryption to hundreds of services and billions of records introduces challenges around security, stability, and cost.

Data Research

The first phase involved a thorough inventory of service languages, storage components, and the distribution of sensitive data. The dominant languages (Java, PHP, Go, Python, etc.) and storage technologies were identified, and sensitive data assets were classified according to the company’s data‑classification policy, focusing on personal information and critical business data.

Solution Selection

Stakeholders from security, architecture, CI, and DBA evaluated three main encryption approaches:

Unified Sensitive‑Info Service Encryption – centralizes sensitive data in a middle‑platform for unified encryption and management.

Application‑Layer Encryption per Service – each service encrypts data before persisting it and decrypts on demand.

Database‑Proxy Encryption – a proxy intercepts SQL statements to encrypt/decrypt data at the database boundary.

After weighing advantages, challenges, and cost, the team chose the application‑layer approach as it offered the best performance‑impact trade‑off despite higher development effort.

Encryption Transformation

The transformation focused on three pillars: key management, encryption algorithms, and encryption technology implementation.

Key Management

Commercial KMS solutions using Hardware Security Modules (HSM) were adopted to avoid hard‑coding keys. The design uses a Data Key (DK) for data encryption and a Key Encryption Key (KEK) to protect the DK. The data‑encryption workflow is:

Generate a plaintext DK and encrypt it with KEK in the KMS, producing a ciphertext DK.

Encrypt data with the plaintext DK, producing ciphertext data.

Persist ciphertext data together with the ciphertext DK.

Decryption reverses these steps by retrieving the ciphertext DK, decrypting it via KMS to obtain the plaintext DK, and then decrypting the data.

Encryption Algorithms

Strong algorithms such as AES (symmetric) and RSA (asymmetric) were selected, with optional support for national‑standard algorithms. Symmetric encryption is used for bulk data due to speed, while asymmetric methods handle small‑payload encryption or digital signatures.

Encryption Technology

Two implementation styles were explored:

SDK‑Based Encryption – a library wrapping common algorithms; developers manually invoke it for each read/write operation.

MyBatis Interceptor Component – an interceptor that automatically encrypts parameters on write and decrypts results on read, requiring only configuration or annotations.

The interceptor was further optimized to handle both incremental and legacy data, provide consistency checks, gray‑scale reads, and bidirectional data comparison, effectively enabling a “no‑code‑change” migration path.

Incremental Control & Risk Management

Risk mitigation follows three stages:

Pre‑development (Design) – embed encryption requirements into security guidelines and SDL.

Pre‑release (Testing) – use database audit logs to detect CREATE/ALTER statements on sensitive columns and trigger alerts.

Production (Post‑release) – regularly scan database assets for unencrypted sensitive fields and enforce remediation.

Metrics & Measurement

To track progress, quantitative indicators are defined across tables, fields, and data volume, measuring encryption coverage, detection accuracy, and recall. Additional metrics include the proportion of cleared plaintext fields after migration.

Conclusion

Data encryption at scale is a cross‑functional, long‑term effort that requires unified technical solutions, disciplined key management, careful algorithm selection, and continuous risk monitoring. By following the outlined roadmap, enterprises can enhance their overall security posture while minimizing disruption to business operations.