Transparent Data Encryption (TDE) is a technology used to encrypt databases by offering encryption at file level. If you have critical and sensitive data, TDE can help protect the privacy of your information and prevent data breaches by enabling data-at-rest encryption in the database. TDE helps you meet various regulatory requirements including PCI DSS and HIPAA.
According to MySQL, "TDE enables data-at-rest encryption by encrypting the physical files of the database. Data has encrypted automatically, in real time, prior to writing to storage and decrypted when read from storage. As a result, hackers and malicious users are unable to read sensitive data from tablespace files, database backups or disks. RDS TDE uses industry standard AES algorithms."
Transparent Data Encryption (TDE) can be used to perform real-time I/O encryption and decryption on instance data files. To increase data security, you can enable TDE to encrypt instance data. Data is encrypted before it is written to disk and decrypted when it is read from disk. TDE does not:
Alibaba Cloud ApsaraDB for RDS fully supports TDE for MySQL. In this article, we will look at setting up TDE for MySQL on Alibaba Cloud.
Note: TDE is currently only applicable to SQL Server 2008 R2 and MySQL 5.6. To view or modify TDE settings, you need to log in with an Alibaba Cloud account rather than a RAM account.
To enable TDE on Alibaba Cloud:
TDE works as shown below.
This feature will allow encryption of data while at rest. The encryption of data while in transit is still the responsibility of the user and is outside the purview of this document.
Log in to the database and execute the following command to encrypt the table to be encrypted.
alter table engine＝innodb block_format=encrypted;
If you want to decrypt the TDE encrypted table, execute the following command.
alter table engine＝innodb block_format=default;
To summarize, database encryption provides an important layer of security to your sensitive data. There are different ways to encrypt the data that are all very practical. But remember that even the best crypto library will not secure your data unless you are using a secure key management infrastructure.
Currently only SQL Server 2008 R2 and MySQL 5.6 databases support TDE, and once TDE is activated, it cannot be deactivated.
Encryption uses keys produced and managed by the Key Management Service (KMS). RDS does not provide the keys and certificates needed for encryption. After activating TDE, if the user wants to restore the data to the local device, he must use RDS to decrypt the data first.
Alibaba Clouder - March 15, 2019
Alibaba Clouder - February 26, 2019
Alibaba Clouder - February 13, 2019
Alibaba Clouder - April 13, 2018
Alibaba Clouder - January 25, 2018
Sabith - August 2, 2018
Identify vulnerabilities and improve security management of Alibaba Cloud WAF and Anti-DDoS and with a fully managed security serviceLearn More
Mitigate the scalability problem of single machine relational databases for large-scale online databases.Learn More
A reliable, cost-efficient backup service for continuous data protection.Learn More
An on-demand database hosting service for MySQL with automated monitoring, backup and disaster recovery capabilitiesLearn More
More Posts by Sabith