This topic describes how to configure disk encryption for an ApsaraDB RDS for PostgreSQL instance. Disk encryption is used to ensure data security.

Background information

Disk encryption protects your data that is stored on standard or enhanced SSDs and eliminates the need to modify your business or application. In addition, ApsaraDB RDS automatically applies disk encryption to both the snapshots that are generated from the encrypted standard or enhanced SSDs and to the standard or enhanced SSDs that are created from those snapshots.

Disk encryption is free of charge. You do not need to pay for the read and write operations that you perform on the encrypted standard or enhanced SSDs.

Prerequisites

  • Your RDS instance uses standard or enhanced SSDs.
  • A customer master key (CMK) that is used for disk encryption is created. For more information, see the "Procedure" section of this topic. You can enable disk encryption for your RDS instance only when you create the instance.

Precautions

  • Disk encryption cannot be disabled after it is enabled.
  • After disk encryption is enabled, the snapshots that are generated by your RDS instance carry over the disk encryption settings. All the new RDS instances that are created from these snapshots also carry over the disk encryption setting.
  • If your Alibaba Cloud Key Management Service (KMS) is overdue, the standard or enhanced SSDs of your RDS instance become unavailable. Make sure that your KMS works as normal. For more information, see What is KMS?
  • If you disable or delete the CMK that is used for disk encryption, your RDS instance cannot run as normal. For example, you cannot create snapshots, restore snapshots, or rebuild the secondary RDS instance.

Procedure

  1. Log on to the KMS console.
  2. In the top navigation bar, select the region where you want to create an RDS instance.
  3. Click Create Key.
  4. Configure the following parameters.
    Parameter Description
    KeyStore A key store is a security domain that is used to store the CMK of KMS. For more information, see Overview.
    Key Spec The type of the CMK. Valid values:
    • Symmetric keys:
      • Aliyun_AES_256
      • Aliyun_SM4
    • Asymmetric keys:
      • RSA_2048
      • EC_P256
      • EC_P256K
      • EC_SM2
    Note Aliyun_SM4 and EC_SM2 types are used only in mainland China regions where managed hardware security modules (HSMs) are available.
    Purpose
    • Encrypt/Decrypt: The purpose of the CMK is to encrypt or decrypt data.
    • Sign/Verify: The purpose of the CMK is to generate or verify a digital signature.
    Alias Name The optional identifier of the CMK. For more information, see Overview.
    Protection Level
    • Software: Use a software module to protect the CMK.
    • Hsm: Manage the CMK in an HSM, which is dedicated hardware that safeguards the CMK.
    Description The description of the CMK.
    Rotation Period The interval of automatic rotation. Valid values:
    • 30 Days
    • 90 Days
    • 180 Days
    • 365 Days
    • Disable: Automatic rotation is disabled.
    • Customize: Customize an interval that ranges from 7 days to 730 days.
    Note You can specify this parameter only if the Key Spec parameter is set to Aliyun_AES_256 or Aliyun_SM4.
  5. Click OK.
  6. On the Cloud Resource Access Authorization page, click Confirm Authorization Policy. Then, the created RDS instance can access your cloud resources. This step is required only when you enable disk encryption for the first time.
    Note You can log on to the RAM console to check whether you have the permissions of the AliyunRDSInstanceEncryptionDefaultRole RAM role.
  7. Create an RDS instance. During this process, select Disk Encryption. For more information, see Create an ApsaraDB RDS for PostgreSQL instance.
    Note After the RDS instance is created, you can go to the Basic Information page of the instance and view the CMK that is used for disk encryption.