This topic describes how to configure SSL encryption and disk encryption for an RDS PostgreSQL instance to ensure data security.

Prerequisites

  • If you require SSL encryption, your RDS instance is equipped with standard SSDs or enhanced SSDs (ESSDs).
  • If you require disk encryption, your RDS instance is equipped with standard SSDs or enhanced SSDs (ESSDs).
  • If you require disk encryption, disk encryption is configured. For more information, see Configure disk encryption. You can only enable disk encryption when you create an RDS instance.
  • If you require disk encryption, your RDS instance resides in one of the following regions:
    • China (Hangzhou)
    • China (Shanghai)
    • China (Qingdao)
    • China (Beijing)
    • China (Shenzhen)
    • China (Hong Kong)
    • Singapore
    • Malaysia (Kuala Lumpur)
    • Indonesia (Jakarta)
    • Germany (Frankfurt)

Precautions

  • After you enable SSL encryption, data transmitted over an internal network or the Internet is encrypted by using SSL. SSL encryption protects data from theft.
  • After you enable SSL encryption, you must disconnect the existing connection and establish a new one so that SSL encryption takes effect.

Configure SSL encryption

  1. Log on to the ApsaraDB for RDS console.
  2. In the top navigation bar, select the region where the target RDS instance resides.
    Select a region
  3. Find the target RDS instance and click its ID.
  4. In the left-side navigation pane, click Parameters.
  5. Click the edit button corresponding to the ssl parameter. In the dialog box that appears, change the value to on and click Confirm.
    Change the value of the ssl parameter
    Note
    • After you enable SSL encryption, you must set the SSL mode to Prefer when you log on from your client.SSLMODE
    • If you want to disable SSL encryption, you must change the value of the ssl parameter to off.

Configure disk encryption

Disk encryption provides maximum protection for your data with minimal impact on your businesses or applications. In addition, both the snapshots generated from encrypted disks and the disks created from those snapshots are automatically encrypted.

Disk encryption is free of charge. You do not need to pay additional fees for the read and write operations you perform on encrypted disks.

  1. Log on to the KMS console.
  2. In the top navigation bar, select the region where you want to create an RDS instance.
    Select a region
  3. Click Create Key.
  4. Configure the following parameters.
    Parameter Description
    Key Spec Valid values:
    • Symmetric keys:
      • Aliyun_AES_256
      • Aliyun_SM4
    • Asymmetric keys:
      • RSA_2048
      • EC_P256
      • EC_P256K
      • EC_SM2
    Note Aliyun_SM4 and EC_SM2 types are used only in mainland China regions where Managed HSM is available.
    Purpose
    • Encrypt/Decrypt: The purpose of the CMK is to encrypt or decrypt data.
    • Sign/Verify: The purpose of the CMK is to generate or verify a digital signature.
    Alias Name The optional identifier of the CMK. For more information, see Use aliases.
    Protection Level
    • Software: Use a software module to protect the CMK.
    • Hsm: Host the CMK in a hardware security module (HSM). Managed HSM uses the HSM as dedicated hardware to safeguard the CMK.
    Description The description of the CMK.
    Rotation Period The automatic rotation period. Valid values:
    • 30 Days
    • 90 Days
    • 180 Days
    • 365 Days
    • Disable: Rotation is disabled.
    • Customize: Customize a period that ranges from 7 days to 730 days.
    Note You can specify this parameter only if Key Spec is set to Aliyun_AES_256 or Aliyun_SM4.
  5. Click OK.
  6. On the Cloud Resource Access Authorization page, click Confirm Authorization Policy.
    Note This step is only required when you are creating an RDS instance for the first time with disk encryption enabled in the selected region. You can go to the RAM console and navigate to the RAM Roles page to check whether you have the AliyunPostgreSQLInstanceEncryptionRole permission.
  7. Create an RDS instance with disk encryption enabled. For more information, see Create an ApsaraDB RDS for PostgreSQL instance.
    Note After the RDS instance is created, you can view its key for disk encryption on the Basic Information page.