This topic describes how to configure transparent data encryption (TDE) for your PolarDB cluster. TDE encrypts and decrypts data files in real time when they are written or read. TDE encrypts data files before they are written to disks, and decrypts data files when they are loaded to the memory from disks. TDE does not increase the sizes of data files. You do not need to modify your applications to use TDE.

Prerequisites

  • The cluster version is PolarDB for MySQL 8.0.
  • Alibaba Cloud Key Management Service (KMS) is activated. If KMS is not activated, you can activate KMS when you enable TDE. For more information about KMS, see What is KMS?

Background information

Encryption keys are generated and managed by KMS. PolarDB does not provide the keys or certificates that are required for encryption. In some zones, you can use the keys that are automatically generated by Alibaba Cloud or use your own key materials to generate data keys, and then authorize PolarDB to use the keys.

Precautions

  • After TDE is enabled, it cannot be disabled.
  • In I/O bound scenarios, database performance may be deteriorated after you enable TDE for the cluster.
  • The PolarDB cluster restarts after you enable TDE for the cluster. Proceed with caution.
  • TDE cannot be enabled for clusters that have joined a global database network (GDN). Clusters that have the TDE feature enabled cannot join a GDN.
  • When you use an existing custom key, you must note the following points:
    • If you disable the key, configure a plan to delete the key, or delete the key materials, the key becomes unavailable.
    • After the authorization to your PolarDB cluster is revoked, the PolarDB cluster becomes unavailable if you restart the PolarDB cluster.
    • You must use your Alibaba Cloud account or an account that has the AliyunSTSAssumeRoleAccess permission.

Use a key that is automatically generated by Alibaba Cloud

  1. Log on to the PolarDB console.
  2. On the top of the page, select the region where the target cluster is located.
  3. Find the target cluster and click the cluster ID to go to the Overview page.
  4. In the left-side navigation pane, choose Settings and Management > Security Management.
  5. On the TDE Settings tab, turn on TDE Status.
    Enable TDE for MySQL instances
  6. In the Configure TDE dialog box, select Use Default Key of KMS.
    Use a key that is automatically generated by Alibaba Cloud
  7. Click OK to enable TDE.

Use an existing custom key

  1. Log on to the PolarDB console.
  2. On the top of the page, select the region where the target cluster is located.
  3. Find the target cluster and click the cluster ID to go to the Overview page.
  4. On the TDE Settings tab, turn on TDE Status.
    Enable TDE for MySQL instances
  5. In the Configure TDE dialog box, select Use Existing Custom Key.
    Note If you do not have a custom key, click Create Custom Key to go to the KMS console. On the KMS console, you can import your own key materials to create a custom key. For more information, see Manage CMKs.
    Use an existing custom key
  6. Click OK to enable TDE.

Encrypt a table

Log on to the database and execute the following statement to encrypt a table:

alter table <tablename> encryption= 'Y';

Decrypt a table

Execute the following statement to decrypt a table that is encrypted by TDE:

alter table <tablename> encryption= 'N';

FAQ

  • Can I use database tools such as Navicat after TDE is enabled?

    Yes, you can use database tools such as Navicat after TDE is enabled.

  • Why is the data still in plaintext after encryption?

    When data is queried, data is decrypted and loaded to the memory. Therefore, the result appears in plaintext. After TDE is enabled, the stored data is encrypted.