Transparent Data Encryption (TDE) encrypts and decrypts data files in real time when they are written or read. It encrypts data files when they are written to disks, and decrypts data files when they are loaded to the memory from disks. TDE does not increase the size of data files. You can use TDE without making changes to applications.

Prerequisites

  • The cluster version is PolarDB MySQL 8.0.
  • Key Management Service (KMS) is activated. If you have not activated KMS, you can activate KMS as instructed when you enable TDE. For more information about KMS, see What is KMS?.

Background information

Encryption keys are created and managed by KMS. Apsara PolarDB does not provide the keys and certificates required for encryption. In some zones, you can use the keys automatically generated by Alibaba Cloud or use your own key materials to generate data keys, and then authorize Apsara PolarDB to use the keys.

Precautions

  • After TDE is enabled, it cannot be disabled.
  • In I/O bound scenarios, enabling TDE may affect database performance.
  • Enabling TDE on an Apsara PolarDB cluster will cause the cluster to restart. Proceed with caution.
  • TDE cannot be enabled for clusters that have joined a Global Database Network (GDN). Clusters with the TDE feature enabled cannot join a GDN.
  • When you use an existing custom key, you need to note the following points:
    • Disabling the key, setting a key deletion plan, or deleting the key material will make the key unavailable.
    • After the authorization to your RDS instance is revoked, restarting the RDS instance will make the RDS instance unavailable.
    • You must use your Alibaba Cloud account or an account that has the AliyunSTSAssumeRoleAccess permission.

Use a key automatically generated by Alibaba Cloud

  1. Log on to the Apsara PolarDB console.
  2. In the upper-left corner of the page, select the region where the target cluster is located.
  3. Find the target cluster and click the cluster ID.
  4. In the left-side navigation pane, choose Settings and Management > Security Management.
  5. On the TDE Settings tab, turn on the switch on the right of TDE Status.
    Enable TDE for MySQL instances
  6. In the Configure TDE dialog box, select Use Default Key of KMS.
    Use the default key of KMS
  7. Click OK to enable TDE.

Use an existing custom key

  1. Log on to the Apsara PolarDB console.
  2. In the upper-left corner of the page, select the region where the target cluster is located.
  3. Find the target cluster and click the cluster ID.
  4. On the TDE Settings tab, turn on the switch on the right of TDE Status.
    Enable TDE for MySQL instances
  5. In the Configure TDE dialog box, select Use Existing Custom Key.
    Note If you do not have a custom key, click Create Custom Key to create a key in the KMS console and import the key material. For more information, see Manage CMKs.
    Use an existing custom key
  6. Click OK to enable TDE.

Encrypt a table

Log on to the database and execute the following statement to encrypt a table:

alter table <tablename> encryption= 'Y';

Decrypt a table

Execute the following statement to decrypt a table that is encrypted with TDE:

alter table <tablename> encryption= 'N';

FAQ

  • Q: Can I use database tools such as Navicat after TDE is enabled?

    A: Yes.

  • Q: Why is the data still in plaintext after encryption?

    A: When data is queried, data is decrypted and read to the memory. Therefore, the result is displayed in plaintext. After TDE is enabled, the stored data is encrypted.