Tablestore provides server-side encryption and client-based encryption to protect your cloud data from potential security risks. For high availability and disaster recovery, Tablestore supports zone-redundant storage. You can also use Cloud Backup to back up important data to prevent data loss from accidental deletion or malicious tampering. In addition, Tablestore uses the V4 signature algorithm to protect user keys and reduce the risk of key leakage.
Data encryption
Disk encryption for static data
Tablestore supports the disk encryption feature to prevent attackers from bypassing databases. For more information, see Data encryption.
By default, the disk encryption feature is disabled. If you want to enable the disk encryption feature, turn on Encryption in the Create Table dialog box and select an encryption type.
Important
After you enable the disk encryption feature, you cannot disable the feature. Proceed with caution.
Tablestore supports two encryption methods: encryption based on a Key Management Service (KMS) key and encryption based on Bring Your Own Key (BYOK). You must obtain the keys for both methods from KMS. You can choose a method based on your business requirements.
|
Encryption mode |
How to use |
Description |
|
KMS key-based encryption |
|
Tablestore uses the default KMS-managed Customer Master Key (CMK) to encrypt data and automatically decrypts data when the data is being read. When you use KMS key-based encryption for the first time, Tablestore creates a KMS-managed CMK in the KMS console. You do not need to purchase a KMS instance. |
|
BYOK-based encryption |
Tablestore SDK |
After you use BYOK materials to generate a custom key in the KMS console, Tablestore can encrypt data based on your custom key. In this mode, you can manage the encryption key that you use. |
Data transmission encryption
Tablestore supports encryption based on the Transport Layer Security (TLS) protocol. Data transmission between the Tablestore server and the client is encrypted based on the TLS protocol. For more information, see Restrict the TLS version for instance access.
Tablestore allows you to use methods such as custom Resource Access Management (RAM) policies and access control policies to restrict the TLS versions that can be used to access Tablestore. A later TLS version provides a more secure transmission encryption algorithm. We recommend that you use TLS 1.2 or later. For more information, see Custom RAM policy, Examples, and Instance policy examples.
Data disaster recovery
Tablestore provides two data redundancy types: locally redundant storage and zone-redundant storage. If your business requires high availability, you can choose a region that supports zone-redundant storage for your data. For more information, see Zone-redundant storage.
LRS
LRS uses a single-zone redundancy model to replicate your data across devices within the same zone. LRS is designed to ensure data durability and service availability if a hardware device in the zone fails.
LRS stores data within a single Availability Zone. If that zone becomes unavailable or all hardware within it fails simultaneously, the data becomes inaccessible.
ZRS
ZRS uses a multi-zone redundancy model to replicate your data across zones within the same region. If a zone becomes unavailable, ZRS ensures that your data remains accessible.
ZRS provides data center-level disaster recovery. If a zone within a region fails, Tablestore maintains strong consistency. The failover process is transparent to users, with no service interruption or data loss. This achieves a Recovery Time Objective (RTO) of 0 and a Recovery Point Objective (RPO) of 0, meeting the stringent requirements of mission-critical systems.
Data backup and restoration
Tablestore allows you to use Cloud Backup to back up and restore data. The data backup feature is suitable for the following scenarios: disaster recovery, restoration upon accidental deletion or malicious tampering, data versioning, legal compliance, and data migration. For more information, see Backup and recovery.
Cloud Backup is a unified platform that is developed by Alibaba Cloud for backup and disaster recovery. Cloud Backup is an easy-to-use data management service that is deployed on the public cloud to offer high agility, efficiency, security, and reliability. You can use Cloud Backup to back up data to a backup vault from Elastic Computing Service (ECS) instances, ECS databases, file systems, NAS clusters, OSS buckets, Tablestore instances, and data centers that store files, databases, virtual machines (VMs), and large-scale NAS file systems. You can also use the backup data for disaster recovery and archive data based on the archive policies that you configure for the preceding resources. For more information, see What is Cloud Backup
To prevent important data from becoming unavailable due to accidental deletion or malicious tampering, you can use the data backup feature in the Tablestore console to back up data in tables in the Wide Column model of Tablestore instances on a regular basis and restore lost or damaged data at the earliest opportunity. For more information, see Back up data, Restore data, and Configure alert notification for a backup plan.
User key security
The Tablestore client uses the V4 signature algorithm to compute a derived key from your user key, which is the AccessKey of an Alibaba Cloud account or a RAM user. The client then uses this derived key to initiate requests. When the Tablestore server-side receives a request, it uses the derived key to perform identity verification. This process avoids transmitting the user key during authentication, which reduces the risk of key leakage. For more information, see User key security.