You can use transparent data encryption (TDE) to encrypt data files when the files are written to disks and decrypt data files when the files are loaded to the memory from disks. If you use TDE, the sizes of the data files do not increase. Developers do not need to modify applications to use TDE.
- Only ApsaraDB PolarDB MySQL-compatible edition clusters whose Product editions are Cluster Edition or Single node support TDE. TDE is not supported by Archive database.
ApsaraDB PolarDB MySQL-compatible edition clusters of the Cluster Edition and Single Node versions must meet specific requirements. The following table lists the requirements based on the edition and version.
Edition Version Support for TDE Cluster Edition 5.6 The revision version must be 184.108.40.206.21 or later. 5.7 The revision version must be 220.127.116.11.3 or later. 8.0 The revision version must be 18.104.22.168.1 or later. Single Node 5.6 The revision version must be 22.214.171.124.21 or later. 5.7 The revision version must be 126.96.36.199.3 or later. 8.0 The revision version must be 188.8.131.52.1 or later. Archive Database 8.0 Not supported
- Alibaba Cloud Key Management Service (KMS) is activated. For more information, see Activate KMS.
- ApsaraDB RDS is authorized to access KMS. For more information, see Authorize an ApsaraDB RDS for MySQL instance to access KMS.
TDE for ApsaraDB PolarDB MySQL-compatible edition adopts the Advanced Encryption Standard (AES) algorithm. The key length is 256 bits. The keys that are used in TDE are generated and managed by KMS. ApsaraDB PolarDB MySQL-compatible edition does not provide keys or certificates. In some zones, you can use keys generated by Alibaba Cloud. You can also generate keys by using bring you own keys (BYOK). Then, authorize ApsaraDB PolarDB MySQL-compatible edition to use the keys that are generated.
- In I/O bound scenarios, TDE may have negative impacts on the performance of your databases.
- You cannot enable TDE for clusters that are connected to a global database network (GDN). Clusters for which TDE is enabled cannot be connected to a GDN.
- After you enable TDE for a PolarDB for MySQL cluster, the cluster is automatically restarted. Proceed with caution.
- After TDE is enabled, you cannot disable TDE.
- Log on to the PolarDB console.
- In the upper-left corner of the console, select the region where the cluster is deployed.
- Find the cluster and click the cluster ID.
- In the left-side navigation pane, choose .
- On the TDE Settings tab, turn on TDE Status.
- In the Configure TDE dialog box, select Use Default Key of KMS or Use Existing Custom Key.
- TDE supports the following keys:
- After Advanced Settings is enabled, new tables are automatically encrypted. For existing tables, you need to execute data definition language (DDL) statements to encrypt data.
The TDE is enabled in approximately 10 minutes.
- In the dialog box that appears, select Use Default Key of KMS and click OK.
- If you choose Use Existing Custom Key, select a key managed by KMS from the drop-down list and click OK.
- If you do not have a custom key, click Create Custom Key. In the KMS console, create a key and import your key materials. For more information, see Manage CMKs.
- When you use an existing custom key, you must take note of the following limits:
- If you disable a key, configure a key deletion plan, or delete the key materials, the key becomes unavailable.
- If you revoke the authorization to a PolarDB for MySQL cluster, the cluster becomes unavailable after you restart the cluster.
- You must use an Alibaba Cloud account or an account that has the AliyunSTSAssumeRoleAccess permission.
- TDE supports the following keys:
Encrypt and decrypt tables
|Operation||PolarDB for MySQL 5.6||PolarDB for MySQL 5.7 and PolarDB for MySQL 8.0|