Transparent Data Encryption (TDE) encrypts and decrypts data files in real time at the database layer, preventing attackers from reading sensitive information directly from storage. Enable TDE to meet security compliance requirements and protect data at rest.
Background information
Introduction: After TDE is enabled, data is encrypted before being written to disk and decrypted when read into memory. Authenticated applications and users can transparently access data (no changes to application code or configurations are required), while unauthorized users cannot access plaintext data in tablespace files, on disks, or in backups.
Keys: Key Management Service (KMS) generates and manages the keys for TDE. ApsaraDB RDS does not provide encryption keys or certificates. You can use an Alibaba Cloud-generated key or your own customer master keys (CMKs) by authorizing ApsaraDB RDS to use them.
Encryption algorithms: The encryption algorithm depends on the database engine version.
|
Database engine version |
Supported encryption algorithms |
Algorithm modification |
|
MySQL 5.6 |
|
You cannot modify the encryption algorithm. |
|
MySQL 5.7 and 8.0 |
|
Use the |
Modifying the innodb_encrypt_algorithm parameter is a high-risk operation. It affects the encryption and decryption algorithm for all encrypted data within the instance, such as encrypted tables and logs. If this parameter's value differs from the data's encryption algorithm, the data cannot be decrypted. The innodb_encrypt_algorithm parameter is not displayed in the console. To modify this parameter, submit a ticket.
Prerequisites
-
To use the TDE feature, your ApsaraDB RDS instance must meet the following requirements:
-
Database engine version: MySQL 8.0, 5.7, or 5.6 with a minor engine version of 20191015 or later.
-
Edition: High-availability Edition or Cluster Edition.
-
-
Key Management Service (KMS) is activated. If not, follow the on-screen instructions to activate it when you enable TDE.
-
Use your Alibaba Cloud account to authorize ApsaraDB RDS to access Key Management Service (KMS).
Considerations
-
After TDE is enabled, it cannot be disabled, the key cannot be changed, and CPU usage increases significantly.
-
Instance switchover: When you enable TDE, your ApsaraDB RDS instance restarts and an instance switchover occurs. The instance is unavailable for about 15 seconds. Perform this operation during off-peak hours and make sure that your application supports automatic reconnection.
-
No code changes required: Enabling TDE does not increase data file size or require changes to your application code or configurations.
-
Cross-region backup and restore: After TDE is enabled, support for cross-region backup and restore varies by storage type:
-
Cloud disk instances: Support both cross-region backup and cross-region restore.
-
Local disk instances: Support only cross-region backup. Cross-region restore is not supported.
For more information about cross-region backup, see Cross-region backup. To restore data to an on-premises machine, you must decrypt the data first.
-
-
Configuration change limits: After TDE is enabled, you cannot change the instance edition from High-availability Edition to Cluster Edition.
-
CMK limits: If you use an existing CMK, note the following:
-
You can use only symmetric keys. Asymmetric keys are not supported.
-
A key becomes unavailable if the KMS instance is unavailable due to expiration or deletion, the key is disabled, a deletion is scheduled for the key, or the key material is deleted. In such cases, the ApsaraDB RDS instance data cannot be restored.
-
If you revoke the authorization and then restart the ApsaraDB RDS instance, the instance becomes unavailable.
-
-
Minor engine version upgrade: For instance stability, upgrade the minor engine version of the primary instance and its read-only instances, if any, to the latest version.
Enable TDE
You can enable TDE with an Alibaba Cloud-generated key or your own CMK. This operation requires an Alibaba Cloud account or an account with the AliyunSTSAssumeRoleAccess permission.
Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.
-
In the left-side navigation pane, click Data Security. Then, click the TDE tab.
-
In the
-
Select a key type.
-
Use an Automatically Generated Key: This option uses a service key from KMS.
-
Use Existing Custom Key : Select an existing CMK. Only symmetric keys are supported.
NoteIf no key is available, click create now. to go to the KMS console and create a key and import your own key material. When you create the key, select Symmetric Key for the Key Type parameter.
-
-
Click OK to enable TDE.
Encrypt and decrypt data
Encrypt data
Log on to the database and run the following command to encrypt a table.
After enabling TDE, existing tables are not automatically encrypted. You must manually encrypt existing tables by running the following commands.
-
MySQL 5.6:
ALTER TABLE <tablename> engine=innodb,block_format=encrypted; -
MySQL 5.7 or 8.0:
ALTER TABLE <tablename> encryption='Y';
Decrypt data
Log on to the database and run the appropriate command to decrypt a table.
-
MySQL 5.6:
ALTER TABLE <tablename> engine=innodb,block_format=default; -
MySQL 5.7 or 8.0:
ALTER TABLE <tablename> encryption='N';
FAQ
-
Q1: Can I continue to use common database tools, such as Navicat, after I enable TDE?
A: Yes, you can. TDE is transparent to authenticated connections. Database tools like Navicat connect as authorized users. Therefore, data is automatically decrypted in memory when accessed. Your client tools require no changes.
-
Q2: Can I still migrate data to other ApsaraDB RDS instances after I enable TDE?
A: Yes, you can. Data migration tools connect to the source database as an authenticated user and read the data after the database engine transparently decrypts it. The migration process is the same as for an unencrypted instance.
-
Q3: Why is data displayed in plaintext when I query an encrypted table?
A: This is expected behavior. TDE protects data at rest on disk, not data in use in memory. When an authorized user queries an encrypted table, the database engine decrypts the data in memory before returning results. Data files on disk and in backups remain encrypted, preventing unauthorized access if physical storage or backup files are compromised. To restore encrypted backups to an on-premises machine, you must first decrypt the data in the source database.
References
-
For a comparison of database encryption technologies, see Comparison of database encryption technologies.
-
To encrypt data in transit, you can enable SSL encryption. For more information, see Use a cloud certificate to enable SSL encryption.
-
For more information about key-related operations, see Key Management Service.
API reference
|
API |
Description |
|
To enable TDE for an ApsaraDB RDS instance, set the TDEStatus parameter to Enabled. Configure other parameters as needed. |