This topic describes how to configure SSL encryption and disk encryption for an RDS PostgreSQL instance to ensure data security.

Prerequisites

  • If you require SSL encryption, your RDS instance is equipped with standard SSDs or enhanced SSDs (ESSDs).
  • If you require disk encryption, your RDS instance is equipped with standard SSDs.
  • If you require disk encryption, disk encryption is configured. For more information, see Configure disk encryption. You can only enable disk encryption when you create an RDS instance.
  • If you require disk encryption, your RDS instance resides in one of the following regions:
    • China (Shanghai)
    • China (Hong Kong)
    • Singapore
    • Germany (Frankfurt)
    • Indonesia (Jakarta)

Precautions

  • After you enable SSL encryption, data transmitted over an internal network or the Internet is encrypted by using SSL. SSL encryption protects data from theft.
  • After you enable SSL encryption, you must disconnect the existing connection and establish a new one so that SSL encryption takes effect.

Configure SSL encryption

  1. Log on to the ApsaraDB for RDS console.
  2. In the top navigation bar, select the region where the target RDS instance resides.
    Select a region
  3. Find the target RDS instance and click its ID.
  4. In the left-side navigation pane, click Parameters.
  5. Click the edit button corresponding to the ssl parameter. In the dialog box that appears, change the value to on and click Confirm.
    Change the value of the ssl parameter
    Note
    • After you enable SSL encryption, you must set the SSL mode to Prefer when you log on from your client.SSLMODE
    • If you want to disable SSL encryption, you must change the value of the ssl parameter to off.

Configure disk encryption

Disk encryption provides maximum protection for your data with minimal impact on your businesses or applications. In addition, both the snapshots generated from encrypted disks and the disks created from those snapshots are automatically encrypted.

Disk encryption is free of charge. You do not need to pay additional fees for the read and write operations you perform on encrypted disks.

  1. Log on to the KMS console.
  2. In the top navigation bar, select the region where you want to create an RDS instance.
  3. Click Create Key.
  4. Configure the following parameters.
    Parameter Description
    Purpose The usage of the key. This parameter cannot be specified.
    Alias Name The alias of the key. It helps identify the key.
    Protection Level Only the SOFTWARE option is provided.
    Description The description of the key.
    Key Material Source If you select Alibaba Cloud KMS, the system assigns you a key. If you select External, you can import a 256-bit symmetric key file into the KMS console.
  5. Click OK.
  6. On the Cloud Resource Access Authorization page, click Confirm Authorization Policy.
    Note This step is only required when you are creating an RDS instance for the first time with disk encryption enabled in the selected region. You can go to the RAM console and navigate to the RAM Roles page to check whether you have the AliyunPostgreSQLInstanceEncryptionRole permission.
  7. Create an RDS instance with disk encryption enabled. For more information, see Create an RDS PostgreSQL instance.
    Note After the RDS instance is created, you can view its key for disk encryption on the Basic Information page.