The Data Encryption MCP feature plugin helps users plan, review, apply, and validate data encryption rule changes for ShardingSphere-Proxy logical databases. Actual encryption capability is provided by ShardingSphere-Proxy and its encryption algorithm plugins. This feature only generates and applies encryption rule DistSQL. It does not generate physical DDL, derived-column DDL, index suggestions, or data migration tasks.
runtimeDatabases should point to Proxy logical databases, not physical storage databases.Users describe the encryption goal in an AI application that integrates ShardingSphere-MCP.
Examples:
<logic-database>.orders.status already has an encryption rule.<logic-database>.orders.status with equality query support, and preview it without execution.Users should review encryption rule DistSQL, algorithm properties, rule column names, and side-effect scope before approving any side-effecting execution.
When using natural language, include the following information when possible:
| Information | Description | Example |
|---|---|---|
| Logical database, table, and column | Specify the ShardingSphere-Proxy logical object to configure. | “Configure encryption for <logic-database>.orders.status.” |
| Schema or namespace | Recommended for multi-schema logical databases. | “The schema is public.” |
| Operation type | Create, alter, or drop an encryption rule. | “Create an encryption rule” or “drop the encryption rule for this column.” |
| Encryption goal | Describe whether reversible encryption, equality query, or LIKE query is required. | “Use reversible encryption and support equality queries.” |
| Algorithm preference | Specify an algorithm, or let MCP recommend one from algorithms available from Proxy. | “List data encryption algorithms available from the current Proxy.” or “Prefer AES.” |
| Algorithm properties | Sensitive values such as keys should be supplied through protected channels. | “The key is supplied through a protected channel.” |
| Rule column names | Provide column names used by the rule when cipher, assisted query, or LIKE query columns are required. | “The cipher column name is status_cipher.” |
| Operation | Natural language example | Content to review |
|---|---|---|
| Create | “Plan reversible encryption for orders.status, support equality queries, and preview first.” |
The new encryption rule, algorithms, properties, and rule column names. |
| Alter | “Change the previous encryption plan to use AES, then preview it again.” | The altered encryption rule and whether sibling encrypted columns are preserved. |
| Drop | “Drop the encryption rule for orders.status and preview the impact first.” |
Whether the target column rule is dropped and whether sibling encrypted columns are preserved. |
After a plan is generated, review:
Encryption rules may reference cipher, assisted query, or LIKE query columns. These column names are part of rule DistSQL only. ShardingSphere-MCP does not generate physical DDL for them or check whether the real physical table already has matching columns.
*_cipher is commonly used as the cipher column name.Preview first, then review rule DistSQL and side-effect scope before execution.
| Phase | Natural language example | User focus |
|---|---|---|
| Preview | “Preview the previous encryption rule plan without executing it.” | Inspect rule DistSQL, algorithms, and properties before execution. |
| Execute | “Confirm and execute the previous plan.” | Confirm that the side-effecting change has been reviewed. |
| Manual execution | “Export a manual execution package without automatic execution.” | Let operators review and execute in a controlled environment. |
| Validate | “Validate whether the previous encryption rule has taken effect.” | Check rule state and workflow execution result. |
For the general review flow of rule changes, see Rule Change Flow.