All Products
Search
Document Center

ApsaraDB for MongoDB:Configure transparent data encryption (TDE)

Last Updated:Jun 08, 2026

Transparent Data Encryption (TDE) encrypts data before writing it to disk and decrypts it when reading into memory, with no increase in file size and no application changes required. You can enable TDE in the ApsaraDB for MongoDB console to protect instance data.

Prerequisites

  • The instance is a replica set or sharded cluster instance.

  • The instance uses the WiredTiger storage engine.

  • If the instance uses local disks, the database version is 4.0 or 4.2.

  • If the instance uses cloud disks, the database version is 4.4 or later. To upgrade from an earlier version, upgrade the major database version.

    Note

    Before enabling TDE, create a pay-as-you-go instance that meets the version requirements to test application compatibility. Release the instance after testing.

  • Key Management Service (KMS) must be activated.

If your instance does not meet these requirements, Change instance configurations.

Impacts

  • Enabling TDE restarts the instance, causing a transient connection interruption. Perform this operation during off-peak hours and ensure your application has a reconnection mechanism.

  • TDE increases CPU utilization.

  • Encrypted collections cannot be restored to a self-managed database by using physical backups. Use a logical backup instead. Restore data to a self-managed database by using a logical backup.

Considerations

  • Once enabled, TDE cannot be disabled.

  • You cannot restore a released, TDE-enabled instance from the Recycle Bin.

  • TDE encrypts at the instance level and applies only to collections. To encrypt specific fields, use Client-Side Field-Level Encryption (MongoDB 4.2 only).

    Note

    To skip encryption for specific collections, Exclude a collection from encryption.

  • TDE encrypts only new collections created after enablement. Existing collections remain unencrypted.

  • Key Management Service (KMS) generates and manages TDE keys. ApsaraDB for MongoDB does not provide encryption keys or certificates. What is Key Management Service?.

  • The encryption key cannot be changed after TDE is enabled. To use a different key, migrate data to a new instance configured with the new key by using Data Transmission Service (DTS). Migrate data between ApsaraDB for MongoDB instances.

Procedure

  1. Navigate to the Replica Set Instances or Sharded Cluster Instances page. In the top navigation bar, select a resource group and region, and then click the ID of the target instance.

  2. In the left-side navigation pane, click Data Security > TDE.

  3. Turn on the switch next to TDE Status:.

  4. In the Enable TDE dialog box, select a key generation method based on your requirements.

    • Use Automatically Generated Key: The system automatically generates a key.

    • Use Custom Key: Select an existing key from the drop-down list. If the key you want to use is not available, you must first create one. For instructions, see Create a key.

  5. Click OK.

    The instance enters the Updating TDE state. The operation is complete when the status changes to Running.

Exclude a collection from encryption

After TDE is enabled, all new collections are encrypted by default. To create an unencrypted collection, specify the storage engine configuration during creation.

  1. Connect to the database by using mongo shell: Connect to a replica set instance or Connect to a sharded cluster instance.

  2. Run the following command to create an unencrypted collection.

    • Syntax:

      db.createCollection("<collection_name>",{ storageEngine: { wiredTiger: { configString: "encryption=(name=none)" } } })
      Note

      In this command, collection_name is the name of the collection.

    • Example:

      db.createCollection("customer",{ storageEngine: { wiredTiger: { configString: "encryption=(name=none)" } } })