This topic describes how to configure SSL encryption and data disk encryption for an RDS PostgreSQL instance to improve data security.


The RDS instance must be in either of the following editions:
  • PostgreSQL 11 High-availability Edition (with SSDs)
  • PostgreSQL 10 High-availability Edition (with SSDs)


  • After you enable SSL encryption, all data transmitted through private networks and the Internet is encrypted by using SSL. SSL encryption protects data from being stolen.
  • After you enable SSL encryption, you must disconnect the existing connection so that SSL encryption can take effect on it.
  • Data disk encryption is available only to the China (Hong Kong) and China (Shanghai) regions and will be rolled out in the other regions soon.
  • Data disk encryption can be enabled only when you create an RDS instance. Before enable data disk encryption, you must configure data disk encryption. For more information, see Configure data disk encryption.

Configure SSL encryption

  1. Log on to the PostgreSQL console.
  2. In the upper-left corner, select the region where the target RDS instance is located.
  3. Find the target RDS instance and click the instance ID.
  4. In the left-side navigation pane, choose Data Security > Data Security.
  5. In the SSL Encryption section, click Enable SSL. In the message box that appears, click OK.

Configure data disk encryption

  1. Log on to the KMS console.
  2. In the upper-left corner, select the region where you want to create an RDS instance.
    KMS Console-选择地域
  3. Click Create Key.
  4. Set the following parameters.
    Parameter Description
    Alias Name The alias of the key.
    Protection Level Select SOFTWARE.
    Description The description of the key.
    Key Material Source Select Alibaba Cloud KMS or External. If you select Alibaba Cloud KMS, the system assigns you a key. If you select External, you can import a 256-bit symmetric key into the KMS console.
  5. Click OK.
  6. Click here to go to the Cloud Resource Access Authorization page, and click Confirm Authorization Policy.
    Note This step is required only when it is the first time that you create such an RDS instance. You can go to the RAM console and navigate to the RAM Roles page to check whether you have the AliyunPostgreSQLInstanceEncryptionRole permission.角色管理
  7. Configure data disk encryption when you create the RDS instance. For more information, see Create an RDS PostgreSQL instance.