You can call the ModifyDBInstanceTDE operation to enable the Transparent Data Encryption (TDE) for an ApsaraDB RDS instance.

TDE can perform real-time I/O encryption and decryption on data files. Data is encrypted before it is written to a disk. Data is also decrypted when it is read from a disk and written to the memory. For more information, see ~~96121~~.

Before you call this operation, make sure the following requirements are met:

  • Key Management Service (KMS) must be activated. If KMS is not activated, you can activate KMS when you enable TDE.
  • Your RDS instance must run one of the following database engines and RDS editions:
    • MySQL 5.6
    • MySQL 5.7 on RDS High-availability Edition with local SSDs
    • SQL Server 2019 SE or an Enterprise Edition of SQL Server

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer. OpenAPI Explorer dynamically generates the sample code of the operation for different SDKs.

Request parameters

Parameter Type Required Example Description
Action String Yes ModifyDBInstanceTDE

The operation that you want to perform. Set the value to ModifyDBInstanceTDE.

DBInstanceId String Yes rm-uf6wjk5****

The ID of the instance. You can call the DescribeDBInstances operation to query the IDs of instances.

TDEStatus String Yes Enabled

Specifies whether to enable TDE. Valid values:

  • Enabled
  • Disabled
DBName String No testDB

The name of the database for which you want to enable TDE. Up to 50 names can be entered in a single request. If you specify multiple names, separate these names with commas (,).

Note This parameter is available and must be specified only when the instance runs SQL Server 2019 SE or an Enterprise Edition of SQL Server.
EncryptionKey String No 749c1df7-****-****-****-****

The ID of the private key.

Note This parameter is available only when the instance runs MySQL.
RoleArn String No acs:ram::1406926****:role/aliyunrdsinstanceencryptiondefaultrole

The Alibaba Cloud Resource Name (ARN) of a RAM role. A RAM role is a virtual RAM identity that you can create within your Alibaba Cloud account. For more information, see RAM role overview.

Note This parameter is available only when the instance runs MySQL.
Certificate String No oss-ap-southeast-1.aliyuncs.com:****:key.cer

The file that contains the certificate used for TDE.

You must specify this parameter in the following formats:

  • Public IP address: oss-The ID of the region.aliyuncs.com:The name of the OSS bucket:The name of the certificate file (The name of the certificate file must contain the extension.)
  • Internal endpoint: oss-The ID of the region-internal.aliyuncs.com:The name of the OSS bucket:The name of the certificate file (The name of the certificate file must contain the extension.)
    Note
    • This parameter is available only when the instance runs SQL Server 2019 SE or an Enterprise Edition of SQL Server.
    • You can call the DescribeRegions operation to query the most recent region list.
PrivateKey String No oss-ap-southeast-1.aliyuncs.com:****:key.pvk

The file that contains the private key used for TDE.

You must specify this parameter in the following formats:

  • Public IP address: oss-The ID of the region.aliyuncs.com:The name of the OSS bucket:The name of the certificate file (The name of the certificate file must contain the extension.)
  • Internal endpoint: oss-The ID of the region-internal.aliyuncs.com:The name of the OSS bucket:The name of the certificate file (The name of the certificate file must contain the extension.)
    Note
    • This parameter is available only when the instance runs SQL Server 2019 SE or an Enterprise Edition of SQL Server.
    • You can call the DescribeRegions operation to query the most recent region list.
PassWord String No 1qaz@WSX

The password of the certificate.

Note This parameter is available only when the instance runs SQL Server 2019 SE or an Enterprise Edition of SQL Server.

Response parameters

Parameter Type Example Description
RequestId String 777C4593-8053-427B-99E2-105593277CAB

The ID of the request.

Examples

Sample requests

http(s)://rds.aliyuncs.com/?Action=ModifyDBInstanceTDE
&DBInstanceId=rm-uf6wjk5****
&TDEStatus=Enabled
&<Common request parameters>

Sample success responses

XML format

<ModifyDBInstanceTDEResponse>
      <RequestId>777C4593-8053-427B-99E2-105593277CAB</RequestId>
</ModifyDBInstanceTDEResponse>

JSON format

{
    "ModifyDBInstanceTDEResponse": {
        "RequestId": "777C4593-8053-427B-99E2-105593277CAB"
    }
}

Error codes

HTTP status code Error code Error message Description
403 IncorrectDBInstanceLockMode Current DB instance lock mode does not support this operation. The error message returned because the operation is not supported by the lock mode of the instance.
400 Invalid.PrivateKey The requested privateKey parameter is invalid. The error message returned because the value of the PrivateKey parameter is invalid.
400 Invalid.Certificate The requested certificate parameter is invalid. The error message returned because the value of the Certificate parameter is invalid.
400 CertOrPrivateKeyOrPasswordNotMatched The public certificate, private key, and password do not match. The error message returned because the certificate, private key, and password do not match.

For a list of error codes, visit the API Error Center.