Transparent Data Encryption (TDE) can be used to perform real-time I/O encryption and decryption on instance data files. To improve data security, you can enable TDE to encrypt instance data.

Currently, TDE is only applicable to databases of SQL Server 2008 R2 and MySQL 5.6. To view or modify TDE settings, you need to log on with an Alibaba Cloud account rather than a RAM account.

Background information

TDE provides real-time I/O encryption and decryption on data files. The data is encrypted before being written to the disk and decrypted when being reading from the disk into the memory. TDE does not increase the size of data files. Developers do not have to modify any applications before using the TDE function.


  • Once TDE is activated, it cannot be deactivated.
  • Encryption uses keys produced and managed by the Key Management Service (KMS). RDS does not provide the keys and certificates required for encryption. After TDE is activated, if you want to restore data to your local device, use RDS to decrypt the data first.
  • After TDE is activated, CPU usage significantly increases.


KMS is activated.


  1. Log on to the RDS console and select the target instance.
  2. Click Data Security in the left-side navigation pane.
  3. On the Data Security page, click the TDE tab.
  4. Click Not Activated, as shown in the following figure.

  5. Click OK to activate TDE.
    If you have not activated KMS, you are prompted to do so when activating TDE. After activating KMS, click Not Activated to activate TDE.
  6. Log on to the database and run the following command to encrypt the relevant tables.
    alter table <tablename> engine=innodb, block_format=encrypted;

Subsequent operation

If you want to decrypt a table encrypted by TDE, run the following command.

alter table <tablename> engine=innodb, block_format=default;