To enhance the security of your data at rest, you can enable the disk encryption feature at no additional cost. This feature encrypts the entire data disk, which ensures that your data cannot be decrypted even if the disk or its backups are compromised. Enabling disk encryption requires no changes to your application code, has a minimal impact on instance performance, and ensures that instance snapshots automatically inherit the encryption attribute.
Overview
How it works
The disk encryption feature uses the industry-standard AES-256 encryption algorithm to encrypt the entire data disk. When disk encryption is enabled, data is automatically encrypted before being written to the disk and decrypted when read by an authorized user. This process requires no changes to your application code. For more information about how disk encryption works, see Disk encryption.
Encryption keys
Key Management Service (KMS) provides the keys required for disk encryption. You can use several types of keys from KMS to encrypt your disks, including default keys (which include service keys and customer master keys (CMKs)), software-protected keys, and hardware-protected keys. The following table describes the differences between these key types.
Key type | Encryption algorithm | Cost | Creator | Key material source | Description | |
Default key | Service key | AES_256 | Free | An Alibaba Cloud service creates and manages it on your behalf. | Cannot be deleted or disabled. Each user can have only one service key for RDS in the same region. | |
Customer master key (CMK) | You | Generated by KMS or imported by you | You can manage its lifecycle. Each user can have only one customer master key (CMK) in the same region. | |||
Software-protected key and hardware-protected key | Paid | You | Generated by KMS or imported by you | You can manage their lifecycles and create multiple keys. | ||
If your business does not require key isolation between instances and you want to reduce costs, you can select a default key, such as a service key or a customer master key (CMK). This option is free but has quantity limits. Each user can have only one CMK and one service key for RDS in the same region.
If you need to use different keys to encrypt different RDS instances or require more features such as credential management and digital signatures, you can purchase a software or hardware key instance and create the required keys. For more information, see Select a KMS key.
Prerequisites
You cannot manually enable disk encryption for RDS for MySQL read-only instances.
To enable disk encryption for a primary RDS for MySQL instance, you must meet the following conditions:
The storage type is ESSD or high-performance local disk.
The primary instance has no attached read-only instances. If read-only instances are attached, you must first release the read-only instances before you can enable disk encryption. After you enable disk encryption on the primary instance, new read-only instances created from it have disk encryption enabled by default.
You have authorized RDS to access Key Management Service (KMS).
Billing
The disk encryption feature is free, and there are no extra fees for disk read or write operations.
KMS manages the keys for disk encryption. Default keys, including service keys and customer master keys (CMKs), are free. KMS charges for the use of software-protected keys and hardware-protected keys.
Limitations
Once enabled, disk encryption cannot be disabled.
Service interruption: Enabling disk encryption for an existing instance or replacing a key causes a brief service interruption of about 30 seconds. Ensure your application has an automatic reconnection mechanism.
Backup and recovery: After disk encryption is enabled, second-level backups and backup downloads are not supported. Snapshots of the instance, and other instances created from those snapshots, automatically inherit the encryption attribute.
Key restrictions: The instance type restricts the KMS keys that you can select. Overdue payments for KMS or disabling or deleting a key can affect some instances for which disk encryption is enabled.
Key selection restrictions: A general-purpose instance type supports only a service key. A dedicated instance type supports a service key or custom keys.
Impact of overdue KMS payments: If you use a paid key type, such as a software-protected key or a hardware-protected key, an overdue payment for your KMS instance prevents the encrypted disks from being decrypted. This makes the entire instance unavailable. Make sure to renew your KMS instance on time.
Impact of disabling or deleting a key: For keys whose lifecycles you can manage, such as customer master keys (CMKs), software-protected keys, and hardware-protected keys, disabling or deleting a key locks the associated RDS instance. The instance becomes inaccessible. All O&M operations, such as backups, configuration changes, restarts, and high-availability (HA) switchovers, will fail.
Enable disk encryption
Enable encryption when creating an instance
Go to the RDS for MySQL buy page. In the top navigation bar, click Standard Creation.
For Storage Type, select a disk type that uses cloud disks, and then select the Cloud Disk Encryption checkbox.
Select a key:
To use a service key (free): Select Default Service CMK. You can select this option regardless of whether a service key exists in the current region.
To use a customer master key (CMK) (free), software-protected key (paid), or hardware-protected key (paid): If you have already created the desired key, select it from the drop-down list. If not, click Create Now to create a key in the KMS console.
NoteIf you do not have a service key in the current region, the system automatically creates a service key with the alias
alias/acs/rdswhen you select Default Service CMK.If a service key already exists in the current region, a new one is not created when you select Default Service CMK. The existing service key with the alias
alias/acs/rdsis used for encryption by default. Each Alibaba Cloud service has only one service key in each region.
Configure other parameters as needed. After payment, go to the Instances list and click the target instance ID. In the Basic Information section, a displayed key indicates that disk encryption is enabled.
Enable encryption for an existing instance
Enabling disk encryption for an existing instance causes a service interruption of about 30 seconds. Ensure your application has an automatic reconnection mechanism.
Go to the Instances list, select a region at the top, and then click the ID of the target instance.
In the left-side navigation pane, click Data Security.
On the Data Encryption tab, click Enable Cloud Disk Encryption.
In the dialog box that appears, select a key and click OK. The instance status changes to Modifying Parameters.
Wait for the process to complete. Disk encryption is enabled when the instance status returns to Running and encryption information appears on the Data Encryption tab.
Replace a key
You can replace the key for an encrypted RDS for MySQL instance that uses a dedicated instance type. RDS for MySQL instances that use a general-purpose instance type can use only a service key and do not support key replacement.
Replacing a key causes a service interruption of about 30 seconds. Ensure your application has an automatic reconnection mechanism.
Go to the Instances list, select a region at the top, and then click the ID of the target instance.
In the left-side navigation pane, click Data Security.
On the Data Encryption tab, click Replace Key.
In the Change Encryption Key of Data Disk dialog box, select a key and click OK.
Related topics
For a comparison of transparent data encryption (TDE), disk encryption, and always-confidential databases, see Comparison of different database encryption technologies.
Use disk encryption for other database engines:
Related API: DescribeDBInstanceEncryptionKey - Query the disk encryption status and key details