ApsaraDB for Redis provides transparent data encryption (TDE), which can be used to encrypt and decrypt RDB files. You can enable TDE in the ApsaraDB for Redis console to automatically encrypt and decrypt RDB files and improve data security and compliance.
TDE encrypts RDB files when they are written to disks, and decrypts RDB files when they are read to the memory from disks. TDE does not increase the sizes of RDB files. When you use TDE, you do not need to modify your application that uses the ApsaraDB for Redis instance.
You cannot disable TDE after it is enabled. You must evaluate the impact on your business before you enable TDE.
- You can enable TDE for an instance. You cannot enable TDE for a key or for a database.
- TDE encrypts RDB backup files written to disks, such as a dump.rdb.
- Key Management Service (KMS) generates and manages the keys used by TDE. ApsaraDB for Redis does not provide keys or certificates required for encryption.
- Log on to the ApsaraDB for Redis console.
- In the top navigation bar of the page, select the region in which the instance is deployed.
- On the Instances page, click the ID of the instance.
- In the left-side navigation pane, click TDE Settings.
- Turn on the switch next to TDE Status to enable TDE.
- In the dialog box that appears, select Use Automatically Generated Key or Use Custom
Key, and then click OK. After the preceding operation, the instance status changes to Modifying TDE. After the status changes to Running, TDE is enabled.
Related API operations
|ModifyInstanceTDE||Enables TDE for an ApsaraDB for Redis instance. You can use automatically generated keys or existing custom keys.|
|DescribeInstanceTDEStatus||Views whether TDE is enabled for an ApsaraDB for Redis instance.|
|DescribeEncryptionKeyList||Views the list of custom keys that can be used by TDE of an ApsaraDB for Redis instance.|
|DescribeEncryptionKey||Views the details of a custom key used by TDE of an ApsaraDB for Redis instance.|
|CheckCloudResourceAuthorized||Views whether an ApsaraDB for Redis instance is authorized to use KMS.|
- How do I decrypt an encrypted RDB file?
The RDB file cannot be decrypted. You can restore the backup set to a new instance. After the restoration is complete, the data is automatically decrypted.
- Why is the data read by applications still displayed in plaintext?
Only RDB backup files written to disks are encrypted. Query data is read from memory and is not encrypted. Query data is displayed in plaintext.