You can use transparent data encryption (TDE) to encrypt data files when the files are written to disks and decrypt data files when the files are loaded to the memory from disks. If you use TDE, the sizes of the data files do not increase. Developers do not need to modify applications to use TDE.

Prerequisites

  • Only ApsaraDB PolarDB MySQL-compatible edition clusters whose Product editions are Cluster Edition or Single node support TDE. TDE is not supported by Archive database.

    ApsaraDB PolarDB MySQL-compatible edition clusters of the Cluster Edition and Single Node versions must meet specific requirements. The following table lists the requirements based on the edition and version.

    Edition Version Support for TDE
    Cluster Edition 5.6 The revision version must be 5.6.1.0.21 or later.
    5.7 The revision version must be 5.7.1.0.3 or later.
    8.0 The revision version must be 8.0.1.1.1 or later.
    Single Node 5.6 The revision version must be 5.6.1.0.21 or later.
    5.7 The revision version must be 5.7.1.0.3 or later.
    8.0 The revision version must be 8.0.1.1.1 or later.
    Archive Database 8.0 Not supported
  • Alibaba Cloud Key Management Service (KMS) is activated. For more information, see Activate KMS.
  • ApsaraDB RDS is authorized to access KMS. For more information, see Authorize an ApsaraDB RDS for MySQL instance to access KMS.

Background information

TDE for ApsaraDB PolarDB MySQL-compatible edition adopts the Advanced Encryption Standard (AES) algorithm. The key length is 256 bits. The keys that are used in TDE are generated and managed by KMS. ApsaraDB PolarDB MySQL-compatible edition does not provide keys or certificates. In some zones, you can use keys generated by Alibaba Cloud. You can also generate keys by using bring you own keys (BYOK). Then, authorize ApsaraDB PolarDB MySQL-compatible edition to use the keys that are generated.

Usage notes

  • In I/O bound scenarios, TDE may have negative impacts on the performance of your databases.
  • You cannot enable TDE for clusters that are connected to a global database network (GDN). Clusters for which TDE is enabled cannot be connected to a GDN.

Procedure

Notice
  • After you enable TDE for a PolarDB for MySQL cluster, the cluster is automatically restarted. Proceed with caution.
  • After TDE is enabled, you cannot disable TDE.
  1. Log on to the PolarDB console.
  2. In the upper-left corner of the console, select the region where the cluster is deployed.
  3. Find the cluster and click the cluster ID.
  4. In the left-side navigation pane, choose Settings and Management > Security Management.
  5. On the TDE Settings tab, turn on TDE Status.
    Enable TDE for a PolarDB for MySQL cluster
  6. In the Configure TDE dialog box, select Use Default Key of KMS or Use Existing Custom Key.
    Use a key that is automatically generated by Alibaba Cloud
    Note
    • TDE supports the following keys: Aliyun_AES_256 and Aliyun_SM4.
    • After Advanced Settings is enabled, new tables are automatically encrypted. For existing tables, you need to execute data definition language (DDL) statements to encrypt data.
    • In the dialog box that appears, select Use Default Key of KMS and click OK.
    • If you choose Use Existing Custom Key, select a key managed by KMS from the drop-down list and click OK. Custom key
      Note
      • If you do not have a custom key, click Create Custom Key. In the KMS console, create a key and import your key materials. For more information, see Manage CMKs.
      • When you use an existing custom key, you must take note of the following limits:
        • If you disable a key, configure a key deletion plan, or delete the key materials, the key becomes unavailable.
        • If you revoke the authorization to a PolarDB for MySQL cluster, the cluster becomes unavailable after you restart the cluster.
        • You must use an Alibaba Cloud account or an account that has the AliyunSTSAssumeRoleAccess permission.
    The TDE is enabled in approximately 10 minutes.

Encrypt and decrypt tables

Note If you turn on Advanced Settings after you activate TDE, newly created tables are automatically encrypted and you do not need to manually encrypt the newly created tables. For existing tables, you need to perform specific operations to encrypt data.
To encrypt or decrypt MySQL tables after you enable TDE, you must log on to the database and execute the relevant DDL statements. The following table lists the DDL statements that are used to encrypt and decrypt tables in PolarDB for MySQL of different kernel versions.
Operation PolarDB for MySQL 5.6 PolarDB for MySQL 5.7 and PolarDB for MySQL 8.0
Encryption
alter table <tablename> block_format=encrypted;
alter table <tablename> encryption= 'Y';
Decryption
alter table <tablename> block_format=default;
alter table <tablename> encryption= 'N';