ApsaraDB for Redis provides transparent data encryption (TDE), which can be used to encrypt and decrypt RDB files. You can enable TDE in the ApsaraDB for Redis console to automatically encrypt and decrypt RDB files and improve data security and compliance.

Prerequisites

Background information

TDE encrypts RDB files when they are written to disks, and decrypts RDB files when they are read to the memory from disks. TDE does not increase the sizes of RDB files. When you use TDE, you do not need to modify your application that uses the ApsaraDB for Redis instance.

Impacts

You cannot disable TDE after it is enabled. You must evaluate the impact on your business before you enable TDE.

Precautions

  • You can enable TDE for an instance. You cannot enable TDE for a key or for a database.
  • TDE encrypts RDB backup files written to disks, such as a dump.rdb.
  • Key Management Service (KMS) generates and manages the keys used by TDE. ApsaraDB for Redis does not provide keys or certificates required for encryption.

Procedure

  1. Log on to the ApsaraDB for Redis console.
  2. In the top navigation bar of the page, select the region in which the instance is deployed.
  3. On the Instances page, click the ID of the instance.
  4. In the left-side navigation pane, click TDE Settings.
  5. Turn on the switch next to TDE Status to enable TDE.
    Note If an earlier minor version is used, the switch is dimmed. For more information about how to view and upgrade the minor version, see Update the minor version.
  6. In the dialog box that appears, select Use Automatically Generated Key or Use Custom Key, and then click OK.
    Figure 1. Select key type for enabling TDE
    Select key type for enabling TDE
    Note
    • If your Alibaba Cloud account enables TDE for an ApsaraDB for Redis instance for the first time, follow the instructions on the page to authorize the role AliyunRdsInstanceEncryptionDefaultRole. KMS can be used only after the authorization is complete.
    • For more information about how to create a custom key, see Create a CMK.
    After the preceding operation, the instance status changes to Modifying TDE. After the status changes to Running, TDE is enabled.

Related API operations

Operation Description
ModifyInstanceTDE Enables TDE for an ApsaraDB for Redis instance. You can use automatically generated keys or existing custom keys.
DescribeInstanceTDEStatus Views whether TDE is enabled for an ApsaraDB for Redis instance.
DescribeEncryptionKeyList Views the list of custom keys that can be used by TDE of an ApsaraDB for Redis instance.
DescribeEncryptionKey Views the details of a custom key used by TDE of an ApsaraDB for Redis instance.
CheckCloudResourceAuthorized Views whether an ApsaraDB for Redis instance is authorized to use KMS.

FAQ

  • How do I decrypt an encrypted RDB file?

    The RDB file cannot be decrypted. You can restore the backup set to a new instance. After the restoration is complete, the data is automatically decrypted.

  • Why is the data read by applications still displayed in plaintext?

    Only RDB backup files written to disks are encrypted. Query data is read from memory and is not encrypted. Query data is displayed in plaintext.