Transparent Data Encryption (TDE) can be used to perform real-time I/O encryption and decryption on instance data files. To increase data security, you can enable TDE to encrypt instance data.

Note: Currently TDE is only applicable to the database of SQL Server 2008 R2 and MySQL 5.6. To view or modify TDE settings, you need to log in with an Alibaba Cloud account rather than a RAM account.

Background information

TDE provides real-time I/O encryption and decryption on data files. The data is encrypted before being written to the disk and decrypted when reading from the disk into the memory. TDE does not increase the size of data files. Developers does not have to modify any applications before using the TDE function.


  • Once TDE is activated, it cannot be deactivated.
  • Encryption uses keys produced and managed by the Key Management Service (KMS). RDS does not provide the keys and certificates needed for encryption. After activating TDE, if the user wants to restore the data to the local device, he must use RDS to decrypt the data first.
  • After activating TDE, CPU usage significantly increases.


Key Management Service (KMS) is activated.


  1. Log on to the RDS console and select the target instance.
  2. Select Data Security in the left-side navigation pane. Then, on the Data Security page, select the TDE tab.
  3. Click Not Activated, as shown in the following figure.

  4. Click OK to activate TDE.
    If you have not activated the Key Management Service, you are prompted to do so when activating TDE. After activating the Key Management Service, click Not Activated to activate TDE.
  5. Log on to the database and run the following command to encrypt the relevant tables.
    alter table <tablename> engine=innodb, block_format=encrypted;

Subsequent operations

If you want to decrypt a table encrypted with TDE, run the following command.

alter table <tablename> engine=innodb, block_format=default;