ApsaraDB RDS provides four encryption layers to protect your data in transit, at rest, and in use. Each layer targets a different threat model and can be combined with the others.
| Encryption method | What it protects | Supported engines |
|---|---|---|
| SSL | Data in transit (connection-level encryption) | MySQL, SQL Server, PostgreSQL |
| Transparent Data Encryption (TDE) | Data files and backups at rest, at the database or table level | MySQL, PostgreSQL, SQL Server |
| Cloud disk encryption | All data on disk at the block-storage level | RDS instances using cloud disks |
| Always-confidential database | Sensitive columns in use — transmitted, computed, and stored in ciphertext | PostgreSQL |
SSL (encryption in transit)
ApsaraDB RDS issues a server Secure Sockets Layer (SSL) certificate for each RDS instance. Your application uses the certificate to verify that the database service at a given IP address and port is your RDS instance — not an impostor — guarding against man-in-the-middle attacks. You can also update the certificate to maintain its validity.
SSL encrypts the connection only after you enable server authentication on the application side. Be aware that SSL consumes extra CPU resources, which reduces throughput and increases response latency. The impact depends on the number of concurrent connections and the frequency of data transmission.
For configuration steps, see Configure SSL encryption for an ApsaraDB RDS instance.
TDE (encryption at rest)
Transparent Data Encryption (TDE) encrypts data before it is written to storage — disks, SSDs, Peripheral Component Interconnect Express (PCIe) cards, or Object Storage Service (OSS). All data files and backup files of the specified database or table are stored in ciphertext.
TDE is available for MySQL, PostgreSQL, and SQL Server:
MySQL and PostgreSQL: Independently developed by Alibaba Cloud.
SQL Server: Based on SQL Server Enterprise Edition.
How it works
TDE uses the Advanced Encryption Standard (AES) algorithm. The encryption key is encrypted and stored by Key Management Service (KMS). When an RDS instance starts or is migrated, it reads the key from KMS exactly once. To rotate the key, replace it in the KMS console.
Encryption granularity
After you enable TDE, specify the databases or tables to encrypt. Only the designated data is encrypted; unselected databases and tables are unaffected.
For configuration steps and performance benchmarks, see Set TDE for an RDS MySQL instance and TDE test report.
Cloud disk encryption (encryption at rest)
Cloud disk encryption is free for RDS instances that use cloud disks. It encrypts all data at the block-storage level, so data remains protected even if the underlying physical disk is compromised.
This feature requires no application changes and does not interrupt running workloads.
For configuration steps, see Configure the disk encryption feature for an ApsaraDB RDS for MySQL instance.
Always-confidential database (encryption in use)
The always-confidential database feature is available for ApsaraDB RDS for PostgreSQL. It encrypts sensitive columns in tables so that data is transmitted, computed, and stored in ciphertext throughout its lifecycle.
The implementation varies by instance type:
Intel Software Guard Extensions (SGX)-based security-enhanced instances: Data is protected by the trusted execution environment (TEE) provided by Intel SGX. All database operations — including comparisons and computations — run on ciphertext inside the TEE.
Other instance types: Data is protected using cryptography techniques. Only a limited set of database operations is supported.
For available instance types, see Instance types for primary ApsaraDB RDS for PostgreSQL instances.