Encrypt and decrypt tables and indexes using Transparent Data Encryption - ApsaraDB RDS

Transparent Data Encryption (TDE) encrypts data files at the database layer in real time, preventing anyone who bypasses the database from reading sensitive data directly from storage. Authenticated applications and users continue to access data transparently — no code or configuration changes required.

This page covers how to enable TDE, encrypt and decrypt individual tables, and understand key management options and operational constraints before committing to a change that cannot be undone.

Prerequisites

Before you begin, ensure that you have:

An RDS MySQL instance running MySQL 5.6 (minor engine version 20191015 or later), 5.7, or 8.0 on High-availability Edition or Cluster Edition
Key Management Service (KMS) activated. If KMS is not yet activated, you are guided to activate it during TDE setup.
Granted RDS access to KMS using your Alibaba Cloud account. See Authorize ApsaraDB RDS for MySQL to access KMS.
An Alibaba Cloud account, or an account with the AliyunSTSAssumeRoleAccess permission
(Recommended) Updated the minor engine version of your primary instance and any read-only instances to the latest version before enabling TDE. See Update the minor engine version.

How it works

TDE uses KMS to generate and manage encryption keys. RDS does not store or provide keys or certificates. When TDE is enabled:

Data is encrypted before it is written to disk.
Data is decrypted when it is read into memory.
Applications and users authenticated by the database read plaintext data — no application code or configuration changes needed.
OS users and anyone accessing tablespace files, disk, or backup data directly cannot read plaintext data.

Limitations

Understand these constraints before enabling TDE. All are permanent or high-impact.

Cannot be disabled. Once enabled, TDE cannot be turned off.
Key cannot be changed. After enabling, you cannot switch to a different encryption key.
CPU usage increases significantly after TDE is enabled.
Enabling TDE does not increase data file size.
Cross-region restore is not supported. To restore data locally, decrypt the data first.
Edition change is blocked. You cannot change from High-availability Edition to Cluster Edition after enabling TDE.

Custom key risks — if you use an existing custom key:

The key must be a symmetric key. Asymmetric keys are not supported.
If the KMS instance expires or is deleted, the key is disabled, a key deletion schedule is set, or the key material is deleted, the encrypted data on your RDS instance becomes unrecoverable.
If you revoke the authorization and then restart the RDS instance, the instance becomes unavailable.

Enable Transparent Data Encryption (TDE)

Enabling TDE restarts the instance, causing an instance switchover. The instance is typically unavailable for about 15 seconds. Perform this step during off-peak hours and confirm that your application has an automatic reconnection mechanism.

Go to the Instances page. In the top navigation bar, select the region where your RDS instance is located, then click the instance ID.
In the left navigation pane, click Data Security and select the TDE tab.
Under TDE Settings, find TDE Status and enable it.
Select a key type:
- Use Automatically Generated Key: Uses a service key generated and managed by KMS.
- Use Existing Custom Key: Uses a symmetric key that you control in KMS.
If no key is listed, click Go to Create to create one in the KMS console. Set Key Type to Symmetric Key.
Click OK to enable TDE.

Encryption algorithms

The supported encryption algorithms depend on your MySQL version.

Database version	Supported algorithms	Modifiable
MySQL 5.6	`AES_128_ECB`	Not supported
MySQL 5.7, 8.0	`AES_256_CBC` (default), `SM4_CTR`	Yes, via `innodb_encrypt_algorithm`

Important

Modifying innodb_encrypt_algorithm is high-risk. It changes the encryption and decryption algorithm for all encrypted data in the instance, including tables and logs. If the parameter value differs from the algorithm actually used to encrypt the data, parsing fails. This parameter is not visible in the console — submit a ticket to modify it.

Encrypt and decrypt tables

After enabling TDE, existing tables are not automatically encrypted. Run the following commands on each table you want to encrypt.

Encrypt a table

MySQL 5.6:

ALTER TABLE <tablename> engine=innodb,block_format=encrypted;

MySQL 5.7 or 8.0:
```
ALTER TABLE <tablename> encryption='Y';
```

Decrypt a table

MySQL 5.6:

ALTER TABLE <tablename> engine=innodb,block_format=default;

MySQL 5.7 or 8.0:
```
ALTER TABLE <tablename> encryption='N';
```

FAQ

Can I still use database tools like Navicat after enabling TDE?

Yes. Authenticated tools connect normally and read decrypted data in memory.

Can I migrate data to another RDS instance after enabling TDE?

Yes. Data migration works normally.

Why does my data appear in plaintext after I encrypt a table?

When you query data, TDE decrypts it and loads it into memory — that is by design. TDE protects data at rest: backup files are encrypted and cannot be restored locally without first decrypting the data. Anyone who accesses the raw storage or backup files cannot read the plaintext data.

What's next

Comparison of different database encryption technologies — decide which encryption approach fits your requirements
Use a cloud certificate to quickly enable SSL encryption — encrypt the connection to your instance in addition to data at rest
Update the minor engine version — upgrade your primary instance and read-only instances to the latest minor engine version before enabling TDE
Key Management Service — manage the keys used for TDE encryption
TDE test report for ApsaraDB RDS for MySQL
Configure TDE for ApsaraDB RDS for SQL Server
Configure TDE for ApsaraDB RDS for PostgreSQL

API reference

API	Description
ModifyDBInstanceTDE	Enable TDE for an RDS instance by setting `TDEStatus` to `Enabled`. Configure other parameters as needed.

References

ModifyDBInstanceTDE - Modify the TDE status of an ApsaraDB RDS instance