Transparent Data Encryption (TDE) encrypts data before writing it to disk and decrypts it when reading into memory, with no increase in file size and no application changes required. You can enable TDE in the ApsaraDB for MongoDB console to protect instance data.
Prerequisites
-
The instance is a replica set or sharded cluster instance.
-
The instance uses the WiredTiger storage engine.
-
If the instance uses local disks, the database version is 4.0 or 4.2.
-
If the instance uses cloud disks, the database version is 4.4 or later. To upgrade from an earlier version, upgrade the major database version.
NoteBefore enabling TDE, create a pay-as-you-go instance that meets the version requirements to test application compatibility. Release the instance after testing.
If your instance does not meet these requirements, Change instance configurations.
Impacts
-
Enabling TDE restarts the instance, causing a transient connection interruption. Perform this operation during off-peak hours and ensure your application has a reconnection mechanism.
-
TDE increases CPU utilization.
-
Encrypted collections cannot be restored to a self-managed database by using physical backups. Use a logical backup instead. Restore data to a self-managed database by using a logical backup.
Considerations
-
Once enabled, TDE cannot be disabled.
-
You cannot restore a released, TDE-enabled instance from the Recycle Bin.
-
TDE encrypts at the instance level and applies only to collections. To encrypt specific fields, use Client-Side Field-Level Encryption (MongoDB 4.2 only).
NoteTo skip encryption for specific collections, Exclude a collection from encryption.
-
TDE encrypts only new collections created after enablement. Existing collections remain unencrypted.
-
Key Management Service (KMS) generates and manages TDE keys. ApsaraDB for MongoDB does not provide encryption keys or certificates. What is Key Management Service?.
-
The encryption key cannot be changed after TDE is enabled. To use a different key, migrate data to a new instance configured with the new key by using Data Transmission Service (DTS). Migrate data between ApsaraDB for MongoDB instances.
Procedure
-
Navigate to the Replica Set Instances or Sharded Cluster Instances page. In the top navigation bar, select a resource group and region, and then click the ID of the target instance.
-
In the left-side navigation pane, click .
-
Turn on the switch next to TDE Status:.
-
In the Enable TDE dialog box, select a key generation method based on your requirements.
-
Use Automatically Generated Key: The system automatically generates a key.
-
Use Custom Key: Select an existing key from the drop-down list. If the key you want to use is not available, you must first create one. For instructions, see Create a key.
-
-
Click OK.
The instance enters the Updating TDE state. The operation is complete when the status changes to Running.
Exclude a collection from encryption
After TDE is enabled, all new collections are encrypted by default. To create an unencrypted collection, specify the storage engine configuration during creation.
-
Connect to the database by using mongo shell: Connect to a replica set instance or Connect to a sharded cluster instance.
-
Run the following command to create an unencrypted collection.
-
Syntax:
db.createCollection("<collection_name>",{ storageEngine: { wiredTiger: { configString: "encryption=(name=none)" } } })NoteIn this command,
collection_nameis the name of the collection. -
Example:
db.createCollection("customer",{ storageEngine: { wiredTiger: { configString: "encryption=(name=none)" } } })
-