Set TDE - User Guide| Alibaba Cloud Documentation Center

Apsara PolarDB-O supports the Transparent Data Encryption (TDE) feature. TDE performs real-time I/O encryption and decryption on data files. Data can be encrypted before being written to a disk and decrypted when read into memory. TDE does not increase the size of data files. Developers can use TDE without making changes to applications.

Prerequisites

The version of the cluster is Apsara PolarDB-O.
Key Management Service (KMS) is activated. If KMS has not been activated, you can activate KMS for free.

Background information

TDE performs data-at-rest encryption at the database layer. This prevents potential attackers bypassing the database to read sensitive information from storage. TDE can encrypt sensitive data within tablespaces and data stored in disks and backups. TDE also automatically decrypts data to plaintext for applications and users that have passed the database authentication. OS and unauthorized users are not allowed to access the encrypted data in plaintext form.

TDE keys of Apsara PolarDB-P are created and managed by KMS. Apsara PolarDB-P does not provide keys and certificates required for encryption. You can use the keys automatically generated by Alibaba Cloud, or use your own materials to generate data keys and then authorize Apsara PolarDB to use them.

Precautions

You cannot disable TDE after it is enabled.
You can only enable TDE when you create a cluster.
In I/O bound workload cases, TDE may affect database performance after it is enabled.
When you use an existing custom key, please pay close attention to the following:
- If you disable a key, set a key deletion plan, or delete the key material, the key becomes unavailable.
- If you revoke the authorization to an Apsara PolarDB cluster, the cluster becomes unavailable after it is restarted.
- You must use your Alibaba Cloud account or an account with the AliyunSTSAssumeRoleAccess permission.

Procedure

Login ApsaraDB for PolarDB console.
In the upper-left corner of the console, select the region where the cluster is located.
On the Clusters page, click Create Cluster.
On the Apsara PolarDB Subscription Page, specify PolarDB purchase information, select Enable TDE.

Note For more information about the purchase page, see CreateDBCluster.
Click Buy Now on the right side of the page.
On the Confirm Order page, confirm your order information, read and select Apsara PolarDB Subscription Agreement of Service, and then click Pay.

Note After the payment is complete, the cluster is created within about 10 minutes.

View the TDE status

Login ApsaraDB for PolarDB console.
In the upper-left corner of the console, select the region where the cluster is located.
Find the target cluster and click the cluster ID.
In the left-side navigation pane, select Configuration and Management > Security Management.
On the TDE Settings tab, view TDE Status

Switch to a custom key

Login ApsaraDB for PolarDB console.
In the upper-left corner of the console, select the region where the cluster is located.
Find the target cluster and click the cluster ID.
In the left-side navigation pane, select Configuration and Management > Security Management.
On the TDE Settings tab, click Switch to Custom Key on the right side of TDE Status.
In the Configure TDE dialog box, select Use Existing Custom Key.

Note If you do not have a custom key, click Create Custom Key to create a key in the KMS console and import the key material. For more information, see KMS.
Click OK.

FAQ

Q: Can common database tools, such as Navicat, be used normally after TDE is enabled?
A: Yes.
Q: Why is the data still in plaintext after encryption?
A: After TDE is enabled, the stored data is encrypted. When data is queried, it is decrypted and read to the memory. It is displayed in plaintext.

Related API operations


API	Description
CreateDBCluster	Creates an Apsara PolarDB cluster and enables TDE for the cluster. Note The DBType parameter must be set to PostgreSQL or Oracle.