This topic describes how to configure disk encryption for an ApsaraDB RDS for SQL Server instance that uses standard or enhanced SSDs. The disk encryption function provides maximum protection for your data and relieves the need to change business or application configurations.


The disk encryption function encrypts the entire data disks of your RDS instance based on block storage. Your data cannot be cracked even if it is leaked.


  • Your RDS instance is being created. After your RDS instance is created, you cannot enable disk encryption.
  • The Standard SSD or Enhanced SSD storage type is selected for your RDS instance that is being created. For more information, see Storage types.


The disk encryption function is provided free of charge. You do not need to pay additional fees for the read or write operations that you perform on the encrypted disks.


  • The disk encryption function cannot be disabled after it is enabled.
  • After you enable the disk encryption function, the snapshots that are generated by your RDS instance inherit the disk encryption setting. All of the new RDS instances that are created from these snapshots also inherit the disk encryption setting.
  • If your Alibaba Cloud Key Management Service (KMS) is overdue, the standard or enhanced SSDs of your RDS instance become unavailable. Make sure that your KMS is normal. For more information, see What is KMS?


When you create an RDS instance, select the Standard SSD or Enhanced SSD storage type, select the Disk Encryption option to the right of the selected storage type, and then select a key that is used for encryption. For more information, see Create an ApsaraDB RDS for SQL Server instance.

Note For more information about how to create a key, see Manage CMKs.