You can use Transparent Data Encryption (TDE) to encrypt data files when the files are written to disks and decrypt data files when the files are loaded to the memory from disks. If you use TDE, the sizes of the data files do not increase. Developers do not need to modify applications to use TDE.

Prerequisites

  • Only the ApsaraDB PolarDB MySQL-compatible edition clusters whose Product editions are Cluster Edition or Single node support TDE. TDE is not supported by Archive database.

    the ApsaraDB PolarDB MySQL-compatible edition clusters of the Cluster Edition and Single Node versions must meet specific requirements. The following table describes the requirements based on the edition and version.

    Edition Version Support for TDE
    Cluster Edition 5.6 The revision version must be 5.6.1.0.21 or later.
    5.7 The revision version must be 5.7.1.0.3 or later.
    8.0 The revision version must be 8.0.1.1.1 or later.
    Single Node 5.6 The revision version must be 5.6.1.0.21 or later.
    5.7 The revision version must be 5.7.1.0.3 or later.
    8.0 The revision version must be 8.0.1.1.1 or later.
    Archive Database 8.0 Not supported
  • Alibaba Cloud Key Management Service (KMS) is activated. For more information, see Activate KMS.
  • ApsaraDB RDS is authorized to access KMS. For more information, see Authorize an ApsaraDB RDS for MySQL instance to access KMS.

Background information

TDE for the ApsaraDB PolarDB MySQL-compatible edition adopts the Advanced Encryption Standard (AES) algorithm. The key length is 256 bits. The keys that are used in TDE are generated and managed by KMS. the ApsaraDB PolarDB MySQL-compatible edition does not provide keys or certificates. In some zones, you can use the keys that are automatically generated by Alibaba Cloud. You can also use your own key materials to generate keys. Then, authorize the ApsaraDB PolarDB MySQL-compatible edition to use these keys.

Note

  • In I/O bound scenarios, TDE may adversely affect the performance of your databases.
  • You cannot enable TDE for clusters that are connected to a global database network (GDN). Clusters for which TDE is enabled cannot be connected to a GDN.

Procedure

Notice
  • After you enable TDE for a PolarDB cluster, the cluster is automatically restarted. Proceed with caution.
  • After TDE is enabled, you cannot disable TDE.
  1. Log on to the PolarDB console.
  2. In the upper-left corner of the console, select the region where the cluster that you want to manage is deployed.
  3. Find the cluster that you want to manage and click the cluster ID.
  4. In the left-side navigation pane, choose Settings and Management > Security Management.
  5. On the TDE Settings tab, turn on TDE Status.
    Enable TDE for a cluster of the ApsaraDB PolarDB MySQL-compatible edition
  6. In the Configure TDE dialog box, select Use Default Key of KMS or Use Existing Custom Key.
    Use a key that is automatically generated by Alibaba Cloud
    Note TDE supports the following keys: Aliyun_AES_256 and Aliyun_SM4.
    • In the dialog box that appears, select Use Default Key of KMS and click OK.
    • If you choose Use Existing Custom Key, select a key generated by KMS from the drop-down list and click OK. Custom key
      Note
      • If you do not have a custom key, click Create Custom Key. In the KMS console, create a key and import your key materials. For more information, see Manage CMKs.
      • When you use an existing custom key, you must take note of the following limits:
        • If you disable a key, configure a key deletion plan, or delete the key materials, the key becomes unavailable.
        • If you revoke the authorization to a cluster of the ApsaraDB PolarDB MySQL-compatible edition, the cluster becomes unavailable after you restart the cluster.
        • You must use an Alibaba Cloud account or an account that has the AliyunSTSAssumeRoleAccess permission.
    It requires approximately 10 minutes to enable TDE.

Advanced settings

Note You can enable the Advanced Settings feature only when the cluster version is the ApsaraDB PolarDB MySQL-compatible edition 8.0 and the minor kernel version is 8.0.1.1.15 or later.
When you enable TDE, you can enable the Advanced Settings feature in the Configure TDE dialog box. After this feature is enabled, all newly created tables are automatically encrypted. Enable advanced settings

Encrypt and decrypt tables

Note If you turn on Advanced Settings, created tables are automatically encrypted and you do not need to manually encrypt the created tables. For existing tables, you need to perform specific operations to encrypt data.
To encrypt or decrypt MySQL tables after you enable TDE, you must log on to the database and execute the relevant DDL statements. The following table lists the DDL statements that are executed to encrypt and decrypt tables in the ApsaraDB PolarDB MySQL-compatible edition of different kernel versions.
Operation ApsaraDB PolarDB MySQL-compatible edition 5.6 ApsaraDB PolarDB MySQL-compatible edition 5.7 & ApsaraDB PolarDB MySQL-compatible edition 8.0
Encryption
alter table <tablename> block_format=encrypted;
alter table <tablename> encryption= 'Y';
Decryption
alter table <tablename> block_format=default;
alter table <tablename> encryption= 'N';
Note When you execute the preceding alter table statements to encrypt or decrypt a table, the table is locked.