PolarDB-O provides the Transparent Data Encryption (TDE) feature. TDE performs real-time I/O encryption and decryption on data files. Data can be encrypted before it is written to a disk and decrypted when it is read into memory. TDE does not increase the size of data files. Developers can use TDE without making changes to applications.
Prerequisites
- The version of the cluster is PolarDB-O .
- Key Management Service (KMS) is activated. If KMS has not been activated, you can activate KMS for free.
Background information
TDE performs data-at-rest encryption at the database layer. This prevents potential attackers bypassing the database to read sensitive information from storage. TDE can encrypt sensitive data within tablespaces and data stored in disks and backups. TDE also automatically decrypts data to plaintext for applications and users that have passed the database authentication. OS and unauthorized users are not allowed to access the encrypted data in plaintext form.
PolarDB-O TDE keys of PolarDB for PostgreSQL are generated and managed by KMS. PolarDB for PostgreSQL does not provide keys and certificates that are required for encryption. You can use the keys that are automatically generated by Alibaba Cloud, or use your own materials to generate data keys and then authorize PolarDB to use them.
Precautions
- You cannot disable TDE after it is enabled.
- You can enable TDE only when you create a cluster.
- In I/O bound workload scenarios, TDE may affect database performance after it is enabled.
- If you use an existing custom key, pay attention to the following items:
- If you disable the key, configure a plan to delete the key, or delete the key materials, the key becomes unavailable.
- If you revoke the authorization to a PolarDB cluster, the cluster becomes unavailable after it is restarted.
- You must use your Alibaba Cloud account or an account with the AliyunSTSAssumeRoleAccess permission.
Procedure
View the TDE status
Switch to a custom key
FAQ
- After I enable TDE, can I still use common database tools, such as Navicat?
Yes, you can still use common database tools after you enable TDE.
- After I enable TDE, why is my data still in plaintext?
After TDE is enabled, the stored data is encrypted. When data is queried, it is decrypted and read to the memory. Therefore, it is displayed in plaintext.
Related API operations
API | Description |
---|---|
CreateDBCluster | Creates a PolarDB cluster and enables TDE.
Note The DBType parameter must be set to PostgreSQL or Oracle.
|