This topic describes the data encryption features in ApsaraDB for MongoDB.

SSL

ApsaraDB for MongoDB provides Secure Sockets Layer (SSL). You can prevent man-in-the-middle attacks by using the server root certificate to verify whether the destination database is an ApsaraDB for MongoDB instance. ApsaraDB for MongoDB also allows you to enable and update SSL certificates for servers to ensure data security and validity. For more information about how to set SSL, see Configure SSL encryption for an ApsaraDB for MongoDB instance.
Notice Although ApsaraDB for MongoDB can encrypt the connection between an application and a database, SSL cannot run properly until the application authenticates the server. In addition, SSL consumes extra CPU resources and affects the throughput and response time of ApsaraDB for MongoDB instances to a certain degree. The specific impact varies depending on the number of user connection times and the data transfer frequency.

TDE

ApsaraDB for MongoDB provides Transparent Data Encryption (TDE). TDE adopts the Advanced Encryption Standard (AES) algorithm. The key for TDE is encrypted and stored by KMS. ApsaraDB for MongoDB dynamically reads the key only once when the instance is started or migrated. You can log on to the Key Management Service console and replace the key.

After TDE is enabled for an ApsaraDB for MongoDB instance, the data of the specified database or collection is encrypted before being written to any device such as an HDD, SSD, or PCIe card, or to any service such as OSS. Therefore, data files and backups of the instance are all in ciphertext. For more information about how to set TDE, see Configure TDE for an ApsaraDB for MongoDB instance.