Transparent data encryption (TDE) encrypts and decrypts data files in real time when they are written or read. It encrypts data files when they are written to disks, and decrypts data files when they are loaded to the memory from disks. TDE does not increase the size of data files. You can use TDE without modifying your application that uses ApsaraDB for MongoDB. To enhance data security, you can enable the TDE feature for an instance in the ApsaraDB for MongoDB console.

Prerequisites

  • The instance is a replica set instance or a sharded cluster instance.
  • The storage engine of the instance is WiredTiger.
  • The database version of the instance is MongoDB 4.0. If the database version of the instance is earlier than MongoDB 4.0, you can upgrade the database version. For more information, see Upgrade the database version.
    Note Before enabling TDE, you can create a pay-as-you-go instance of MongoDB 4.0 to test the compatibility between your application and the database version. You can release the instance after the test is completed.

Impact

  • When you enable TDE, your instance is restarted, and any application that has connected to the instance will be disconnected from it. We recommend that you enable TDE during off-peak hours and ensure that your application can reconnect to the instance upon disconnection.
  • TDE increases the CPU usage of your instance.
  • You cannot restore TDE-encrypted collections to a user-created MongoDB database through physical backup files. To restore TDE-encrypted collections to a user-created MongoDB database, use logical backup files.

Note

  • You cannot disable TDE after it is enabled.
  • Currently, you can enable TDE for an instance and disable encryption for a collection as required.
    Note In special business scenarios, you can choose not to encrypt a collection when creating it. For more information, see Disable encryption for a collection.
  • After you enable TDE, only new collections are encrypted. Existing collections are not encrypted.
  • Key Management Service (KMS) generates and manages the keys used by TDE. ApsaraDB for MongoDB does not provide keys or certificates required for encryption.

Procedure

  1. Log on to the ApsaraDB for MongoDB console.
  2. In the left-side navigation pane, click Replica Set Instances or Sharding Instances.
  3. Find the instance and click the instance ID.
  4. In the left-side navigation pane, choose Data Security > TDE.
  5. Turn on TDE Status to enable TDE.
    TDE
  6. In the Restart Instance dialog box that appears, click OK.
    The instance status changes to Modifying TDE. After the status changes to Running, TDE is enabled.

Disable encryption for a collection

After you enable TDE, all new collections are encrypted. In special business scenarios, you can choose not to encrypt a collection when creating it. To create a collection with encryption disabled, follow these steps:

  1. Connect to your instance through the mongo shell. For more information, see the guide for connecting to a replica set instance or a sharded cluster instance.
  2. Run the following command to create a collection with encryption disabled: 
    db.createCollection("<collection_name>",{ storageEngine: { wiredTiger: { configString: "encryption=(name=none)" } } })
    Note <collection_name>: the name of the collection.

    Example

    db.createCollection("customer",{ storageEngine: { wiredTiger: { configString: "encryption=(name=none)" } } })