ApsaraMQ for RocketMQ message storage encryption - ApsaraMQ for RocketMQ

ApsaraMQ for RocketMQ provides security features such as message storage encryption and encryption in transit. These features help prevent unauthorized access, data breaches, data interception, and data tampering during transmission.

Storage encryption

Encryption principle

ApsaraMQ for RocketMQ supports server-side encryption for message data. When a client sends a message, ApsaraMQ for RocketMQ saves the data to an encrypted disk for persistence. When a client subscribes to a message, ApsaraMQ for RocketMQ reads the decrypted data from the disk and returns the raw data to the client.

For more information, see Disk encryption.

Note

Enabling disk encryption may slightly decrease the read and write performance of an instance. However, the service remains stable and operates as expected.

Limits

Instance version limitations

This feature is available only for Platinum Edition instances of the ApsaraMQ for RocketMQ 5.x series that use the subscription or pay-as-you-go billing method.
Regional restrictions

Message storage encryption is currently supported only in the following regions: China (Hangzhou), China (Shenzhen), China (Beijing), China (Shanghai), China (Zhangjiakou), China (Qingdao), China (Hong Kong), China (Hohhot), China (Chengdu), China (Ulanqab), China (Guangzhou), Singapore, Malaysia (Kuala Lumpur), Indonesia (Jakarta), Japan (Tokyo), Philippines (Manila), South Korea (Seoul), Thailand (Bangkok), Germany (Frankfurt), US (Silicon Valley), UK (London), and US (Virginia).
Key type restrictions

Only symmetric keys are supported. The key specification must be Aliyun_AES_256 or Aliyun_SM4, and the key usage must be ENCRYPT/DECRYPT.

Billing

Enabling disk encryption for an ApsaraMQ for RocketMQ instance involves the following fees:

ApsaraMQ for RocketMQ fees

You are charged only the instance fee for the Platinum Edition of ApsaraMQ for RocketMQ.
Key Management Service (KMS) fees

You are charged for using KMS for disk encryption. You must purchase a software key management instance or a hardware key management instance. For more information about KMS billing, see Billing.

Precautions

Encryption is irreversible. After you enable disk encryption, you cannot disable it. The key used for encryption must remain active to prevent message read and write failures that can occur if the KMS instance expires.
If you delete or disable the key used for disk encryption, the key becomes invalid. This causes message read and write operations to fail for the ApsaraMQ for RocketMQ instance. Before you delete or disable a key, check whether it is associated with any cloud resources to prevent permanent data loss.
If you delete the acs:rocketmq:instance-encryption tag from the key, message read and write operations will also fail for the ApsaraMQ for RocketMQ instance.

Warning

Disclaimer: You are responsible for any irrecoverable data loss on associated disk resources that occurs if a key is invalidated by your operations.

How to enable disk encryption

You must enable the disk encryption feature when you create an ApsaraMQ for RocketMQ instance.

This section describes only how to enable disk encryption when you create an ApsaraMQ for RocketMQ instance. For detailed configuration instructions, see Create an instance.

Set Commodity Type to RocketMQ 5.0 Series (Subscription) or RocketMQ 5.0 Series (Pay-As-You-Go), and set Primary Series Type to Platinum.
Enable disk encryption and enter the disk key. For more information about how to create a disk key, see Manage keys.

Encryption in transit

Feature description

ApsaraMQ for RocketMQ supports Transport Layer Security (TLS) v1.2 to authenticate the server and ensure secure data transmission between the server and clients.

Version and protocol compatibility

The server-side version, protocol, and client version are related as follows:

Server version	Protocol	Client version	Compatibility	TLS protocol support
5.x instance	gRPC protocol v2	RocketMQ 5.x SDK	Compatible	Enabled by default. Clients that use Java SDK 5.0.5 or later can disable it.
	Remoting protocol	RocketMQ 4.x/3.x SDK	Compatible	Disabled by default. The client must enable it.
	Remoting protocol	RocketMQ ONS TCP 1.x SDK	Compatible	Disabled by default. The client must enable it.
4.x instance	Remoting protocol	RocketMQ 4.x/3.x SDK	Compatible	Disabled by default. The client must enable it, and you must submit a ticket to enable it on the server-side.
	Remoting protocol	RocketMQ ONS TCP 1.x SDK	Compatible
	gRPC protocol v1	RocketMQ ONS TCP 2.x SDK	Compatible	Enabled by default. The client can disable it.
	HTTP protocol	RocketMQ ONS HTTP SDK	Compatible	Enabled by default.

How clients enable encryption in transit

ONS Java SDK clients

Add -Dtls.enable=true to the JVM startup parameters.

Note
If you use a 4.x instance, you must also submit a ticket to request that TLS be enabled on the server-side.
Remoting protocol clients
Java SDK
- Method 1:
  
  Add -Dtls.enable=true to the JVM startup parameters.
- Method 2:
  
  Add the following configuration to your producer code: producer.setUseTLS(true);
  
  Add the following configuration to your consumer code: consumer.setUseTLS(true);
C++ SDK

Add the following configuration to your producer code: producer.setEnableSsl(true);

Add the following configuration to your consumer code: consumer.setEnableSsl(true);
Note
If you use a 4.x instance, you must also submit a ticket to request that TLS be enabled on the server-side.

gRPC protocol v2 clients

This feature is enabled by default. Clients that use Java SDK 5.0.5 or later can disable it by setting enableSsl to false.

ClientConfiguration clientConfiguration = ClientConfiguration.newBuilder()
    .setEndpoints(endpoints)
    // On some Windows platforms, you may encounter SSL compatibility issues. If SSL is not essential, 
    // try to resolve the issue by disabling the SSL option in the client configuration.
    .enableSsl(false)
    .setCredentialProvider(sessionCredentialsProvider)
    .build();