This topic describes how to configure Transparent Data Encryption (TDE) for an ApsaraDB for MongoDB instance. Before data files are written to disks, TDE encrypts the data files. When data files are loaded from disks to the memory, TDE decrypts the data files. TDE does not increase the sizes of data files. When you use TDE, you do not need to modify your application that uses the ApsaraDB for MongoDB instance. You can enable TDE for an instance in the ApsaraDB for MongoDB console to improve data security.
Prerequisites
- A replica set or sharded cluster instance is used.
- The storage engine of the instance is WiredTiger.
- The database engine version of the instance is MongoDB 4.0 or 4.2. If the database
engine version of the instance is earlier than MongoDB 4.0, upgrade the database version.
For more information, see Upgrade MongoDB versions.
Note Before you enable TDE, you can create a pay-as-you-go instance of MongoDB 4.0 or 4.2 to test the compatibility between your application and the database version. You can release the instance after you complete the test.
If the architecture or storage engine of your instance does not meet the requirements, you can create an instance that meets the requirements and migrate data of your instance to the new instance. For more information, see Configuration change overview.
Notes
- When you enable TDE, your instance is restarted, and your application is disconnected from the instance. We recommend that you enable TDE during off-peak hours and make sure that your application can reconnect to the instance after it is disconnected.
- TDE increases the CPU usage of your instance.
- You cannot restore TDE-encrypted collections to a user-created ApsaraDB for MongoDB database from physical backup files. To restore TDE-encrypted collections to a user-created ApsaraDB for MongoDB database, use logical backup files.
Precautions
- After you enable TDE, you cannot disable TDE.
- You can enable TDE for an instance. You can also enable or disable encryption for
a collection. If you need a filed-level encryption, see Explicit (Manual) Client-Side Field Level Encryption (only available on MongoDB 4.2 instances).
Note When you create a collection, you can disable encryption for the collection. For more information, see Disable encryption for a specified collection.
- After you enable TDE, only new collections are encrypted. Existing collections are not encrypted.
- Key Management Service (KMS) generates and manages the keys used by TDE. ApsaraDB for MongoDB does not provide keys or certificates required for encryption.
Procedure
Disable encryption for a specified collection
After you enable TDE, all new collections are encrypted. When you create a collection, you can perform the following steps to disable encyption for the collection: