Transparent data encryption (TDE) encrypts and decrypts data files in real time when they are written or read. TDE encrypts data files before they are written to disks, and decrypts data files when they are loaded to the memory from disks. TDE does not increase the sizes of data files. Developers do not need to modify applications to use the TDE feature.

Prerequisites

  • TDE is available for only PolarDB for MySQL clusters whose Product editions must be Cluster Edition or Single Node. TDE is unavailable for Archive Database.

    The PolarDB for MySQL clusters of the Cluster Edition and Single Node editions must meet the following version requirements.

    Product edition Version Support for TDE
    Cluster Edition 5.6 The revision version must be 5.6.1.0.21 or later.
    5.7 The revision version must be 5.7.1.0.3 or later.
    8.0 The revision version must be 8.0.1.1.1 or later.
    Single Node 5.6 The revision version must be 5.6.1.0.21 or later.
    8.0 The revision version must be 8.0.1.1.1 or later.
    Archive Database 8.0 Not supported.
  • Alibaba Cloud Key Management Service (KMS) is activated. If KMS is not activated, you can activate KMS as prompted when you enable TDE. For more information about KMS, see KMS.

Background information

Encryption keys are generated and managed by KMS. PolarDB does not provide the keys or certificates that are required for encryption. In some zones, you can use the keys that are automatically generated by Alibaba Cloud. You can also use your own key materials to generate data keys and authorize PolarDB to use the keys.

Precautions

  • After TDE is enabled, it cannot be disabled.
  • In I/O bound scenarios, database performance may be deteriorated after you enable TDE.
  • The PolarDB cluster restarts after you enable TDE. Proceed with caution.
  • TDE cannot be enabled for clusters that have joined a global database network (GDN). Clusters that have the TDE feature enabled cannot join a GDN.
  • When you use an existing custom key, you must take note of the following points:
    • If you disable the key, configure a plan to delete the key, or delete the key materials, the key becomes unavailable.
    • After the authorization to your PolarDB cluster is revoked, the PolarDB cluster becomes unavailable if you restart the PolarDB cluster.
    • You must use your Alibaba Cloud account or an account that has the AliyunSTSAssumeRoleAccess permission.

Use a key that is automatically generated by Alibaba Cloud

  1. Log on to the PolarDB console.
  2. In the upper-left corner of the console, select the region where the cluster resides.
  3. Find the cluster, and then click the cluster ID.
  4. In the left-side navigation pane, choose Settings and Management > Security Management.
  5. On the TDE Settings tab, turn on the TDE Status switch.
    Enable TDE for PolarDB for MySQL clusters
  6. In the Configure TDE dialog box, select Use Default Key of KMS.
    Use a key that is automatically generated by Alibaba Cloud
  7. Click OK to enable TDE.

Use an existing custom key

  1. Log on to the PolarDB console.
  2. In the upper-left corner of the console, select the region where the cluster resides.
  3. Find the cluster, and then click the cluster ID.
  4. On the TDE Settings tab, turn on the TDE Status switch.
    Enable TDE for PolarDB for MySQL clusters
  5. In the Configure TDE dialog box, select Use Existing Custom Key.
    Note If you do not have a custom key, click Create Custom Key. In the KMS console, create a key and import your own key materials. For more information, see Manage CMKs.
    Use an existing custom key
  6. Click OK to enable TDE.

Encrypt a table

Log on to the database and run the following command to encrypt the table:

alter table <tablename> encryption= 'Y';

Decrypt a table

Run the following command to decrypt the table that is encrypted by TDE:

alter table <tablename> encryption= 'N';

FAQ

  • Can I use general database tools, such as Navicat, after TDE is enabled?

    Yes, you can use general database tools, such as Navicat, after TDE is enabled.

  • Why is the data still in plaintext after encryption?

    When data is queried, data is decrypted and loaded to the memory. Therefore, the data appears in plaintext. After TDE is enabled, the stored data is encrypted.