PolarDB for PostgreSQL(Compatible with Oracle) provides the Transparent Data Encryption (TDE) feature. TDE performs real-time I/O encryption and decryption on data files. Data can be encrypted before it is written to a disk and decrypted when it is read into memory. TDE does not increase the size of data files. Developers can use TDE without making changes to applications.

Prerequisites

Background information

TDE performs data-at-rest encryption at the database layer. This prevents potential attackers bypassing the database to read sensitive information from storage. TDE can encrypt sensitive data within tablespaces and data stored in disks and backups. TDE also automatically decrypts data to plaintext for applications and users that have passed the database authentication. OS and unauthorized users are not allowed to access the encrypted data in plaintext form.

PolarDB for PostgreSQL(Compatible with Oracle) TDE keys of PolarDB for PostgreSQL are generated and managed by KMS. PolarDB for PostgreSQL does not provide keys and certificates that are required for encryption. You can use the keys that are automatically generated by Alibaba Cloud, or use your own materials to generate data keys and then authorize PolarDB to use them.

Precautions

  • You cannot disable TDE after it is enabled.
  • You can enable TDE only when you create a cluster.
  • In I/O bound workload scenarios, TDE may affect database performance after it is enabled.

Procedure

  1. Log on to the PolarDB console.
  2. In the upper-left corner of the console, select the region in which the cluster that you want to manage is deployed.
  3. On the Clusters page, click Create Cluster.
  4. On the PolarDB buy page, specify PolarDB purchase information and select Enable TDE.
  5. Click Buy Now.
  6. On the Confirm Order page, confirm the order information, read and accept the agreement of service, and then click Activate Now.
  7. On the Purchase page, confirm the order and the payment method, and click Purchase.
    Note After you complete the payment, wait for 10 to 15 minutes. Then, you can view the newly created cluster on the Clusters page.

View the TDE status

  1. Log on to the PolarDB console.
  2. In the upper-left corner of the console, select the region in which the cluster that you want to manage is deployed.
  3. Find the cluster and click the cluster ID.
  4. In the left-side navigation pane, choose Settings and Management > Security Management.
  5. On the TDE Settings tab, view TDE Status.
    PolarDB-O TDE Settings

FAQ

  • After I enable TDE, can I still use common database tools, such as Navicat?

    Yes, you can still use common database tools after you enable TDE.

  • After I enable TDE, why is my data still in plaintext?

    After TDE is enabled, the stored data is encrypted. When data is queried, it is decrypted and read to the memory. Therefore, it is displayed in plaintext.

Related API operations

APIDescription
CreateDBClusterCreates a PolarDB cluster and enables TDE.
Note The DBType parameter must be set to PostgreSQL or Oracle.