This topic describes how to configure Secure Sockets Layer (SSL) encryption and disk encryption for an ApsaraDB RDS for PostgreSQL instance. These encryption features can be used in combination to ensure the security of your data.

Prerequisites

  • If you require SSL encryption, your RDS instance uses standard or enhanced SSDs.
  • If you require disk encryption, your RDS instance uses standard or enhanced SSDs.
  • If you require disk encryption, a key that is used for disk encryption is created. For more information see the "Configure disk encryption" section of this topic. You can enable disk encryption for your RDS instance only when you create the instance.
  • If you require disk encryption, your RDS instance resides in one of the following regions:
    • China (Hangzhou)
    • China (Shanghai)
    • China (Qingdao)
    • China (Beijing)
    • China (Shenzhen)
    • China (Hong Kong)
    • Singapore
    • Malaysia (Kuala Lumpur)
    • Indonesia (Jakarta)
    • Germany (Frankfurt)

Precautions

  • After you enable SSL encryption, all data that is transmitted to your RDS instance over an internal network or the Internet is encrypted by using SSL. This protects the data in transit from being leaked.
  • After you enable SSL encryption, you must disconnect the existing connection and establish a new one. This ensures that SSL encryption take effect.

Configure SSL encryption

The Internet Engineering Task Force (IETF) has upgraded SSL 3.0 to TLS. However, the term "SSL encryption" is retained because it is more common in the communications industry. In this topic, SSL encryption refers to TLS encryption.

Note ApsaraDB RDS supports TLS 1.0, TLS 1.1, and TLS 1.2.
  1. Go to the Parameters page.
    1. Log on to the ApsaraDB for RDS console. In the left-side navigation pane, click Instances. In the top navigation bar, select the region where your RDS instance resides.
      选择地域
    2. Find your RDS instance and click its ID. In the left-side navigation pane, click Parameters.
  2. Find the ssl parameter and click the Edit icon. In the dialog box that appears, change the value of the parameter to on and click OK.
    Reconfigure the ssl parameter
    Note
    • After you enable SSL encryption, you must set the SSL mode parameter to Prefer when you log on from your client.
    • If you want to disable SSL encryption, you must change the value of the ssl parameter to off.
    SSLMODE

Configure disk encryption

Disk encryption maximizes the protection for your data and eliminates the need to modify your business or application. Additionally, ApsaraDB RDS automatically applies disk encryption to both the snapshots that are generated from the encrypted SSDs and to the SSDs that are created from those snapshots.

Disk encryption is free of charge. You do not need to pay for the read and write operations that you perform on the encrypted SSDs.

  1. Log on to the KMS console.
  2. In the top navigation bar, select the region where you want to create your RDS instance.
  3. Click Create Key.
  4. Configure the following parameters.
    Parameter Description
    Key Spec Valid values:
    • Symmetric keys:
      • Aliyun_AES_256
      • Aliyun_SM4
    • Asymmetric keys:
      • RSA_2048
      • EC_P256
      • EC_P256K
      • EC_SM2
    Note Aliyun_SM4 and EC_SM2 types are used only in mainland China regions where Managed HSM is available.
    Purpose
    • Encrypt/Decrypt: The purpose of the CMK is to encrypt or decrypt data.
    • Sign/Verify: The purpose of the CMK is to generate or verify a digital signature.
    Alias Name The optional identifier of the CMK. For more information, see Overview.
    Protection Level
    • Software: Use a software module to protect the CMK.
    • Hsm: Host the CMK in a hardware security module (HSM). Managed HSM uses the HSM as dedicated hardware to safeguard the CMK.
    Description The description of the CMK.
    Rotation Period The automatic rotation period. Valid values:
    • 30 Days
    • 90 Days
    • 180 Days
    • 365 Days
    • Disable: Rotation is disabled.
    • Customize: Customize a period that ranges from 7 days to 730 days.
    Note You can specify this parameter only if Key Spec is set to Aliyun_AES_256 or Aliyun_SM4.
  5. Click OK.
  6. Go to the Cloud Resource Access Authorization page and click Confirm Authorization Policy. This allows your RDS instance to access your cloud resources. This step is required only when it is the first time that you use disk encryption.
    Note You can log on to the RAM console to check whether you have the permissions of the RAM role named AliyunRDSInstanceEncryptionDefaultRole.
  7. Create your RDS instance. During this process, make sure that you select the Disk Encryption option. For more information, see Create an ApsaraDB RDS for PostgreSQL instance.
    Note After your RDS instance is created, you can go to the Basic Information page of the instance and view the key that is used for disk encryption.