This topic describes how to configure Transparent Data Encryption (TDE).

Overview

TDE can be used to encrypt and decrypt data files in real time. You can use TDE to encrypt data files when the data files are written to disks and decrypt data files when the data files are loaded to the memory from disks. When you use TDE to encrypt or decrypt a data file, the size of the data file does not increase. You can use TDE without the need to make changes to applications.

Encryption keys are generated and managed by Key Management Service (KMS). PolarDB-X does not provide keys or certificates for encryption. PolarDB-X supports keys that are automatically generated by Alibaba Cloud. You can authorize PolarDB-X to use the keys that are generated by using your own key materials.

Prerequisites

KMS is activated. If KMS is not activated, you can activate it when you enable TDE.

Procedure

  1. Log on to the PolarDB-X console.
  2. In the top navigation bar, select the region where your instance is deployed.
  3. On the Instance List page, click the PolarDB-X 2.0 tab.
  4. On the page that appears, click the ID of the instance.
  5. In the left-side navigation pane, choose ConfigurationManagement > Safety management.
  6. On the TDE tab, turn on the switch next to TDE status.
  7. In the dialog box that appears, select Use the key automatically generated by Alibaba Cloud and click OK.
    • In the dialog box that appears, select Use the key automatically generated by Alibaba Cloud and click OK.
    • In the dialog box that appears, select Use an existing custom key and click OK.
      Note If you do not have a custom key, click create a key to go to the KMS console and import key materials. For more information, see Manage CMKs.
    456789

Encrypt a table

Log on to the database and execute the following statement to encrypt a table: 

alter table <tablename> encryption='Y';

Execute the following statement to create an encrypted table: 

create table <tablename> <col definition> ENCRYPTION='Y';

Decrypt a table

Log on to the database and execute the following statement to decrypt a table that is encrypted by using TDE: 

alter table <tablename> ENCRYPTION='N';