PolarDB for PostgreSQL provides the Transparent Data Encryption (TDE) feature. TDE performs real-time I/O encryption and decryption on data files. Data can be encrypted before it is written to a disk and decrypted when it is read into memory. TDE does not increase the size of data files. Developers can use TDE without making changes to applications.

Prerequisites

  • The version of the cluster is PolarDB for PostgreSQL.
  • Key Management Service (KMS) is activated. If KMS has not been activated, you can activate KMS for free.

Background information

TDE performs data-at-rest encryption at the database layer. This prevents potential attackers bypassing the database to read sensitive information from storage. TDE can encrypt sensitive data within tablespaces and data stored in disks and backups. TDE also automatically decrypts data to plaintext for applications and users that have passed the database authentication. OS and unauthorized users are not allowed to access the encrypted data in plaintext form.

PolarDB for PostgreSQL TDE keys of PolarDB for PostgreSQL are generated and managed by KMS. PolarDB does not provide keys and certificates that are required for encryption. You can authorize PolarDB to use the keys that are automatically generated by Alibaba Cloud or the keys that are generated by using your own key materials.

Precautions

  • You cannot disable TDE after it is enabled.
  • You can enable TDE only when you create a cluster.
  • In I/O bound workload scenarios, TDE may affect database performance after it is enabled.
  • If you use an existing custom key, pay attention to the following items:
    • If you disable the key, configure a plan to delete the key, or delete the key materials, the key becomes unavailable.
    • If you revoke the authorization to a PolarDB cluster, the cluster becomes unavailable after it is restarted.
    • You must use your Alibaba Cloud account or an account with the AliyunSTSAssumeRoleAccess permission.

Procedure

  1. Log on to the PolarDB console.
  2. In the upper-left corner of the console, select the region where the cluster resides.
  3. On the Clusters page, click Create Cluster.
  4. On the PolarDB buy page, specify PolarDB purchase information and select Enable TDE.
    Note For more information, see Create a PolarDB-O cluster.
    -O Enable TDE
  5. Click Buy Now.
  6. On the Confirm Order page, confirm the order information, read and accept the agreement of service, and then click Pay.
  7. On the Purchase page, confirm the order and the payment method, and click Purchase.
    Note After you complete the payment, wait for 10 to 15 minutes. Then, you can view the newly created cluster on the Clusters page.

View the TDE status

  1. Log on to the PolarDB console.
  2. In the upper-left corner of the console, select the region where the cluster resides.
  3. Find the cluster, and then click the cluster ID.
  4. In the left-side navigation pane, choose Settings and Management > Security Management.
  5. On the TDE Settings tab, view TDE Status
    PolarDB-O TDE Settings

Switch to a custom key

  1. Log on to the PolarDB console.
  2. In the upper-left corner of the console, select the region where the cluster resides.
  3. Find the cluster, and then click the cluster ID.
  4. In the left-side navigation pane, choose Settings and Management > Security Management.
  5. On the TDE Settings tab, click Switch to Custom Key on the right side of TDE Status.
    Switch to a custom key
  6. In the Configure TDE dialog box, select Use Existing Custom Key.
    Note If you do not have a custom key, click Create Custom Key to create a key in the KMS console and import the key material. For more information, see Manage CMKs.
    Use an existing custom key
  7. In the message that appears, click OK.

FAQ

  • After I enable TDE, can I still use common database tools, such as Navicat?

    Yes, you can still use common database tools after you enable TDE.

  • After I enable TDE, why is my data still in plaintext?

    After TDE is enabled, the stored data is encrypted. When data is queried, it is decrypted and read to the memory. Therefore, it is displayed in plaintext.

Related API operations

API Description
CreateDBCluster Creates a PolarDB cluster and enables TDE.
Note The DBType parameter must be set to PostgreSQL or Oracle.