Set Transparent Data Encryption

Last Updated: Jun 27, 2017

Transparent Data Encryption (TDE) can be used to perform real-time I/O encryption and decryption on instance data files. To increase data security, you can enable TDE to encrypt instance data.

Note: Currently TDE is only applicable to the database of SQL Server 2008 R2.

Background information

TDE provides real-time I/O encryption and decryption on data files. The data are encrypted before being written to the disk and decrypted when read from the disk into the memory. TDE will not increase the size of data files. Developers will not have to modify any applications before using the TDE function.


  • Once TDE is activated, it cannot be deactivated.

  • Encryption uses keys produced and managed by the Key Management Service (KMS). RDS does not provide the keys and certificates needed for encryption. After activating TDE, if the user wants to restore the data to the local device, he must use RDS to decrypt the data first.

  • After activating TDE, CPU usage will significantly increase.


Key Management Service (KMS) is activated.

Operation procedure

  1. Log on to the RDS Console and select the target instance.

  2. Select Data Security in the left-side menu. Then, on the Data Security page, select the TDE tab.

  3. Click Not Activated, as shown below.

    Activating TDE

  4. Click OK to activate TDE.

    Note: If you have not activated the Key Management Service, you will be prompted to do so when activating TDE. After activating the Key Management Service, click Not Activated to activate TDE.

  5. Log on to the database and execute the following command to encrypt the relevant tables.

    1. alter table <tablename> engineinnodb, block_format=encrypted;

Subsequent operations

If you want to decrypt a table encrypted with TDE, execute the following command.

  1. alter table <tablename> engineinnodb, block_format=default;
Thank you! We've received your feedback.