All Products
Search
Document Center

ApsaraDB RDS:Use the cloud disk encryption feature

Last Updated:Mar 07, 2024

ApsaraDB RDS for PostgreSQL provides the cloud disk encryption feature free of charge to ensure data security. If you use the cloud disk encryption feature for your RDS instance, the snapshots that are created for the RDS instance are automatically encrypted, and you do not need to modify the configuration of your application.

Background information

Cloud disk encryption protects data and eliminates the need to modify your business or application configurations. In addition, ApsaraDB RDS automatically applies cloud disk encryption to both the snapshots that are generated from the encrypted cloud disks and to the cloud disks that are created from those snapshots.

The cloud disk encryption feature is provided free of charge. You are not charged for the read and write operations that you perform on the encrypted cloud disks.

Prerequisites

  • The cloud disk encryption feature can be enabled for an RDS instance only when you create the RDS instance. You must configure the parameters for the RDS instance based on the description in Configure disk encryption for an ApsaraDB RDS for PostgreSQL instance. This way, you can enable the cloud disk encryption feature for the RDS instance when you create the instance.

  • The RDS instance must use the following parameter settings:

    • Edition: Basic Edition or High-availability Edition

    • Storage Type: enhanced SSD (ESSD) or general ESSD

Usage notes

  • You cannot disable cloud disk encryption after you enable the feature.

  • Cross-region backups are not supported for RDS instances for which the cloud disk encryption disk is enabled. For more information, see Use the cross-region backup feature for an ApsaraDB RDS for PostgreSQL instance.

  • Cloud disk encryption does not interrupt your workloads, and you do not need to modify your application configurations.

  • If you enable disk encryption for your RDS instance, the snapshots that are created for the instance are automatically encrypted. If you use the encrypted snapshots to create an RDS instance that uses standard SSDs or ESSDs, the disk encryption feature is automatically enabled for the new RDS instance.

  • If your Key Management Service (KMS) is overdue, the cloud disks of your RDS instance become unavailable. Make sure that your KMS can provide services as normal. For more information, see What is KMS?

  • If you disable or delete the key of an RDS instance in KMS, the RDS instance cannot run as expected. The RDS instance is locked and cannot be accessed. In addition, no O&M operations can be performed on the RDS instance, including but not limited to operations such as instance backup, specification changes, instance cloning, instance restart, primary/secondary switchover, and parameter modification. We recommend that you use a service key to prevent this issue.

  • If you create an RDS instance that uses the general-purpose instance type and cloud disks, you can use only a service key to encrypt the cloud disks of the RDS instance If you create an RDS instance that uses the dedicated instance type and cloud disks, you can use a service key or a CMK to encrypt the cloud disks of the RDS instance. For more information, see [Product changes/Feature changes] The cloud disk encryption feature of ApsaraDB RDS is adjusted from January 15, 2024.

Procedure

  1. Create a key.

    KMS is required for cloud disk encryption for an RDS instance. For more information, see Purchase and enable a KMS instance.

  2. Enable the cloud disk encryption feature.

    If the prerequisites are met when you create an RDS instance, you can select Disk Encryption and then specify a key after you select the storage type. By default, a key that is automatically generated by Alibaba Cloud is selected. We recommended that you use the default key.

    Note

    After the RDS instance is created, you can go to the Basic Information page of the instance and view the key that is used for disk encryption.