Transparent Data Encryption (TDE) is a technology used to encrypt databases by offering encryption at file level. If you have critical and sensitive data, TDE can help protect the privacy of your information and prevent data breaches by enabling data-at-rest encryption in the database. TDE helps you meet various regulatory requirements including PCI DSS and HIPAA.
According to MySQL, "TDE enables data-at-rest encryption by encrypting the physical files of the database. Data has encrypted automatically, in real time, prior to writing to storage and decrypted when read from storage. As a result, hackers and malicious users are unable to read sensitive data from tablespace files, database backups or disks. RDS TDE uses industry standard AES algorithms."
Transparent Data Encryption (TDE) can be used to perform real-time I/O encryption and decryption on instance data files. To increase data security, you can enable TDE to encrypt instance data. Data is encrypted before it is written to disk and decrypted when it is read from disk. TDE does not:
Alibaba Cloud ApsaraDB for RDS fully supports TDE for MySQL. In this article, we will look at setting up TDE for MySQL on Alibaba Cloud.
Note: TDE is currently only applicable to SQL Server 2008 R2 and MySQL 5.6. To view or modify TDE settings, you need to log in with an Alibaba Cloud account rather than a RAM account.
To enable TDE on Alibaba Cloud:
TDE works as shown below.
This feature will allow encryption of data while at rest. The encryption of data while in transit is still the responsibility of the user and is outside the purview of this document.
Log in to the database and execute the following command to encrypt the table to be encrypted.
alter table engine＝innodb block_format=encrypted;
If you want to decrypt the TDE encrypted table, execute the following command.
alter table engine＝innodb block_format=default;
To summarize, database encryption provides an important layer of security to your sensitive data. There are different ways to encrypt the data that are all very practical. But remember that even the best crypto library will not secure your data unless you are using a secure key management infrastructure.
Currently only SQL Server 2008 R2 and MySQL 5.6 databases support TDE, and once TDE is activated, it cannot be deactivated.
Encryption uses keys produced and managed by the Key Management Service (KMS). RDS does not provide the keys and certificates needed for encryption. After activating TDE, if the user wants to restore the data to the local device, he must use RDS to decrypt the data first.
Alibaba Clouder - July 3, 2019
Alibaba Clouder - July 5, 2019
Alibaba Clouder - March 15, 2019
ApsaraDB - February 19, 2020
Alibaba Clouder - September 14, 2020
ApsaraDB - March 19, 2020
Fully managed and less trouble database servicesLearn More
Alibaba Cloud is committed to safeguarding the cloud security for every business.Learn More
AnalyticDB for MySQL is a real-time data warehousing service that can process petabytes of data with high concurrency and low latency.Learn More
Simple, secure, and intelligent services.Learn More
More Posts by Sabith