Transparent Data Encryption (TDE) is a technology used to encrypt databases by offering encryption at file level. If you have critical and sensitive data, TDE can help protect the privacy of your information and prevent data breaches by enabling data-at-rest encryption in the database. TDE helps you meet various regulatory requirements including PCI DSS and HIPAA.
Transparent Data Encryption (TDE) can be used to perform real-time I/O encryption and decryption on instance data files. To increase data security, you can enable TDE to encrypt instance data. Data is encrypted before it is written to disk and decrypted when it is read from disk.
Alibaba Cloud ApsaraDB for RDS fully supports TDE for MySQL. In this article, we will look at setting up TDE for MySQL on Alibaba Cloud.
Note: TDE is currently only applicable to SQL Server 2008 R2 and MySQL 5.6. To view or modify TDE settings, you need to log in with an Alibaba Cloud account rather than a RAM account.
To enable TDE on Alibaba Cloud, please go to the RDS Management Console, select the appropriate RDS instance. Under Security Control, TDE tab you will be able to find the option to enable TDE.
Encrypting Tables
Log in to the database and execute the following command to encrypt the table to be encrypted.
alter table engine=innodb block_format=encrypted;Decrypting Tables
If you want to decrypt the TDE encrypted table, execute the following command.
alter table engine=innodb block_format=default;Alibaba Cloud products provide various methods to encrypt static data, as shown in the following table:
| Product | Encryption Method |
| OSS | OSS client-side encryption OSS Server-side encryption |
| RDS | SSL encryption TDE encryption |
| ECS Disk | To encrypt the data stored on a disk, you can use the ECS disk encryption function to encrypt cloud disks and shared block storage. |
RDS supports SSL and TDE encryption.
TDE Encryption
RDS provides transparent data encryption (TDE) for MySQL and SQL Server. The TDE function of RDS for MySQL is developed by Alibaba Cloud and the TDE function of RDS for SQL Server is based on the SQL Server Enterprise Edition.
You can specify the database or table to be encrypted in a TDE-enabled RDS instance. The data of the specified database or table is encrypted before being written to any device such as an HDD, SSD, or PCIe card, or to any service such as OSS or Archive Storage. Therefore, data files and backups of the instance are all ciphertext.
TDE adopts the Advanced Encryption Standard (AES) algorithm. The key length is 128 bits. The key for TDE is encrypted and stored by KMS, and RDS dynamically reads the key only once when the instance is started or migrated. You can replace the key as needed on the KMS console.
A BYOK model allows you to generate your own encryption keys materials and to upload the self-generated keys to your Key Management Service (KMS) on the cloud, thus giving you full control over the lifecycle of the uploaded keys. This provides your organization with continuous ownership and better control of how data are encrypted. BYOK is ideal for organizations who already have their own hardware security module (HSM) or key management system (KMS), and would like to have full control of how the keys are being generated.
Some users, especially smaller businesses, may be prefer having a cloud provider managing all aspects of data encryption for information stored on the cloud, and they can generate their own customer master key (CMK) on Alibaba Cloud's KMS and have control over the lifecycle of the CMKs in a similar fashion as keys being uploaded via the BYOK function. Medium and large businesses, especially for those with complex organizational structures and who are subject to strict regulations on data privacy requirements, can benefit from using BYOK services.
This interface only supports MySQL 5.5, MySQL 5.6, and SQL Server 2008 R2.
This interface only supports MySQL 5.6 and SQL Server 2008 R2:
After TDE is enabled, it cannot be disabled. TDE also results in considerable increase in CPU usage.
MySQL is one of the most popular open-source databases in the world. As a key component of the open-source software bundle LAMP (Linux, Apache, MySQL, and Perl/PHP/Python), MySQL has been widely applied to different scenarios.
Alibaba Cloud offers a set of fully managed, less trouble, and optimized database services that fully support open-source database engines.
Our database services automatically and continuously manage and monitor your database health and hardware securely. Whenever issues are detected on your database, Alibaba Cloud will locate it and fix it for you. You no longer need to worry about the issues and enjoy a great experience throughout the life of the database.
2,603 posts | 747 followers
FollowCherish Wang - September 16, 2019
Sabith - July 27, 2018
Rupal_Click2Cloud - October 13, 2021
Alibaba Clouder - July 5, 2019
Alibaba Clouder - March 15, 2019
Alibaba Clouder - March 3, 2021
2,603 posts | 747 followers
Follow
Tair
Tair is a Redis-compatible in-memory database service that provides a variety of data structures and enterprise-level capabilities.
Learn More
Data Encryption Service
An industry-standard hardware security module (HSMs) deployed on Alibaba Cloud.
Learn More
Time Series Database (TSDB)
TSDB is a stable, reliable, and cost-effective online high-performance time series database service.
Learn More
Database Security Solutions
Protect, backup, and restore your data assets on the cloud with Alibaba Cloud database services.
Learn MoreMore Posts by Alibaba Clouder