All Products
Search
Document Center

ApsaraDB RDS:Use the cloud disk encryption feature

Last Updated:Mar 06, 2024

ApsaraDB RDS for SQL Server provides the cloud disk encryption feature free of charge. You can enable this feature when you create an ApsaraDB RDS for SQL Server instance. The feature encrypts data on each data disk of your RDS instance based on block storage. The snapshots that are generated for the RDS instance and the cloud disks of the RDS instances that are created from those snapshots are automatically encrypted. This way, snapshot backups cannot be decrypted even if they are leaked. Cloud disk encryption ensures the security of your data. If you enable this feature, your workloads are not affected, and you do not need to modify the code of your application.

Prerequisites

  • The cloud disk encryption feature is enabled. The feature can be enabled for your RDS instance only when you create the RDS instance. For more information, see Create an ApsaraDB RDS for SQL Server instance.

  • Your RDS instance meets the following requirements:

    • The RDS instance uses the standard SSD, enhanced SSD (ESSD), or general ESSD storage type.

    • The RDS instance belongs to the general-purpose or dedicated instance family. The shared instance family is not supported.

      Note

      Serverless RDS instances do not support the cloud disk encryption feature.

Billing rules

The cloud disk encryption feature is provided free of charge. You do not need to pay additional fees for the read and write operations that you perform on the encrypted disks.

Usage notes

  • Cross-region backups are not supported for RDS instances for which the cloud disk encryption feature is enabled. For more information, see Use the cross-region backup feature.

  • If your Key Management Service (KMS) instance is overdue, the standard SSDs or ESSDs of your RDS instance become unavailable. Make sure that your KMS instance runs as expected. For more information, see What is KMS?

  • If you disable or delete the KMS key that is used for cloud disk encryption, your RDS instance cannot run as expected. In this case, your RDS instance is locked and cannot be accessed. In addition, you cannot perform all O&M operations on the RDS instance. For example, you cannot perform backups, change instance specifications, clone and restart the RDS instance, perform a high-availability switchover, and modify instance parameters. To prevent these issues, we recommend that you use a service key.

  • If your RDS instance uses a general-purpose instance type, you can use only a service key to encrypt the cloud disks of the RDS instance. If your RDS instance uses a dedicated instance type, you can use a service key or a CMK to encrypt the cloud disks of the RDS instance. For more information, see [Product changes/Feature changes] The cloud disk encryption feature of ApsaraDB RDS is adjusted from January 15, 2024.

Enable the feature when you create an RDS instance

When you create an RDS instance, select the standard SSD, ESSD, or general ESSD storage type, select Disk Encryption, and then specify a key. For more information, see Create an ApsaraDB RDS for SQL Server instance.

Note

For more information about how to create a key, see Purchase and enable a KMS instance.

image

View the status of the feature and the key details

  1. Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.
  2. On the Basic Information page of the RDS instance, view the key of the RDS instance that uses cloud disks.

    Note
    • If the key is not displayed on the Basic Information page, the feature is disabled for the RDS instance during instance creation.

    • The feature can be enabled for your RDS instance only when you create the RDS instance. For more information, see Create an ApsaraDB RDS for SQL Server instance.

What to do next

  • You call the CreateDBInstance operation to enable the feature when you create an instance that meets the prerequisites. For more information, see CreateDBInstance.

  • You can call the DescribeDBInstanceEncryptionKey operation to query whether the feature is enabled for an instance and view the key details. For more information, see DescribeDBInstanceEncryptionKey.