All Products
Search
Document Center

ApsaraDB RDS:Use the cloud disk encryption feature

Last Updated:Mar 07, 2024

The cloud disk encryption feature is provided free of charge by ApsaraDB RDS for MySQL. The feature encrypts the data on each disk of your ApsaraDB RDS for MySQL instance by using block storage to ensure data security. This way, your data cannot be decrypted even if it is leaked. If you use the cloud disk encryption feature for your RDS instance, the snapshots that are created for the RDS instance are automatically encrypted, and you do not need to modify the configuration of your application.

For more information about how to use the cloud disk encryption feature for RDS instances that run different database engines, see the following topics:

Prerequisites

  • Your RDS instance is being created. The cloud disk encryption feature cannot be enabled after your RDS instance is created. For more information, see Create an ApsaraDB RDS for MySQL instance.

  • Your RDS instance uses cloud disks. For more information, see Storage types.

  • Your RDS instance runs RDS High-availability Edition or RDS Cluster Edition. For more information, see Overview of ApsaraDB RDS editions.

  • The billing method of your RDS instance is non-serverless.

  • Your RDS instance is created in standard mode.

Billing rules

The cloud disk encryption feature is provided free of charge. You are not charged for the read and write operations that you perform on the encrypted cloud disks.

Limits

The single-digit second backup and cross-region backup features are not supported for RDS instances for which the cloud disk encryption feature is enabled. For more information, see Use the cross-region backup feature.

Usage notes

  • You cannot disable the cloud disk encryption feature after you enable the feature.

  • The cloud disk encryption feature does not interrupt your business, and you do not need to modify your application.

  • If you enable the cloud disk encryption feature for your RDS instance, the snapshots that are created for the RDS instance are automatically encrypted. If you use the encrypted snapshots to create an RDS instance that uses cloud disks, the cloud disk encryption feature is automatically enabled for the new RDS instance.

  • If your Alibaba Cloud Key Management Service (KMS) is overdue, the standard SSDs or ESSDs of your RDS instance become unavailable. Make sure that your KMS is normal. For more information, see What is KMS?

  • If you disable or delete the key of an RDS instance in KMS, the RDS instance cannot run as expected. The RDS instance is locked and cannot be accessed. In addition, no O&M operations can be performed on the RDS instance, including but not limited to operations such as instance backup, specification changes, instance cloning, instance restart, primary/secondary switchover, and parameter modification. We recommend that you use a service key to prevent this issue.

  • If you create an RDS instance that uses the general-purpose instance type and cloud disks, you can use only a service key to encrypt the cloud disks of the RDS instance If you create an RDS instance that uses the dedicated instance type and cloud disks, you can use a service key or a CMK to encrypt the cloud disks of the RDS instance. For more information, see [Product changes/Feature changes] The cloud disk encryption feature of ApsaraDB RDS is adjusted from January 15, 2024.

Check whether the cloud disk encryption feature is enabled for an RDS instance

  1. Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.
  2. In the Basic Information section, check whether the Key parameter can be found. If you can find the parameter, the cloud disk encryption feature is enabled for the RDS instance.

    密钥

Enable the cloud disk encryption feature for an RDS instance

When you create an RDS instance, set the Edition parameter to High-availability Edition, select an ESSD storage type, select Cloud Disk Encryption, and then configure the Key parameter. For more information, see Create an ApsaraDB RDS for MySQL instance.

Note
  • For more information about how to create a key, see Create a key.

  • After the RDS instance is created, you can go to the Basic Information page of the RDS instance and view the key that is used for cloud disk encryption.

Related operations

Operation

Description

CreateDBInstance

Creates an instance.