SSL

ApsaraDB for RDS supports Secure Sockets Layer (SSL) for MySQL and SQL Server. You can use the server root certificate provided by ApsaraDB for RDS to determine whether the database service that you access by using the target IP address and port is provided by ApsaraDB for RDS. This can effectively prevent against man-in-the-middle attacks. ApsaraDB for RDS also allows you to enable and update SSL certificates for servers to ensure data security and validity.

Although ApsaraDB for RDS can encrypt the connection between your application and database, SSL cannot run properly until the server authentication is enabled for your application. SSL consumes extra CPU resources. This affects the throughput and response time of instances. The severity of the impact depends on the number of user connections and the frequency of data transmission.

For more information, see Configure SSL encryption for an RDS instance.

TDE

ApsaraDB for RDS provides Transparent Data Encryption (TDE) for MySQL and SQL Server. TDE for MySQL is independently developed by Alibaba Cloud, and TDE for SQL Server is based on the SQL Server Enterprise Edition.

After TDE is enabled for an ApsaraDB for RDS instance, you can specify the database or table to be encrypted. The data of the specified database or table is first encrypted and then written to a device such as an HDD, SSD, or PCIe card, or to a service such as Object Storage Service (OSS). This way, all data files and instance backups are stored in ciphertext.

TDE adopts the Advanced Encryption Standard (AES) algorithm. The key length is 128 bits. The key for TDE is encrypted and stored by Key Management Service (KMS). ApsaraDB for RDS only reads the key once when the instance is started or migrated. You can replace the key in the KMS console.

For more information, see Configure TDE encryption for an RDS instance.

Disk encryption

ApsaraDB for RDS provides the disk encryption feature for free for RDS instances that are equipped with standard or enhanced SSDs. This feature encrypts the data on each disk of your RDS instance based on block storage. This way, your data cannot be deciphered even if it is leaked. The encryption does not affect your businesses and your applications do not need changes.

For more information, see Configure disk encryption for an ApsaraDB RDS for MySQL instance.