This topic describes how to set Transparent Data Encryption (TDE) for an ApsaraDB RDS for SQL Server instance. TDE allows ApsaraDB for RDS to encrypt the data that is to be written into the disk and decrypt the data that is to be read from the disk to the memory. TDE does not increase the size of data files. Developers can use TDE without changing any applications.

For data security purposes, we recommend that you use the ApsaraDB for RDS console or call the ModifyDBInstanceTDE API operation to enable TDE.


  • Instance-level TDE can be enabled but cannot be disabled. Database-level TDE can be enabled or disabled.
  • The keys used for data encryption are generated and managed by Key Management Service (KMS). ApsaraDB for RDS does not provide the keys or certificates used for data encryption. If you want to restore data to your computer after TDE is enabled, you must decrypt the data on your RDS instance. For more information, see Decrypt data.
  • TDE increases CPU utilization.


  • Your RDS instance runs SQL Server EE.
  • You have logged on to the ApsaraDB for RDS console by using your Alibaba Cloud account.
  • KMS is activated. If KMS is not activated, you can activate it as prompted when you enable TDE.


  1. Log on to the ApsaraDB for RDS console.
  2. In the top navigation bar, select the region where your RDS instance resides.Select a region
  3. Find your RDS instance and click its ID.
  4. In the left-side navigation pane, click Data Security.
  5. On the TDE tab, click the switch next to Disabled to turn on TDE.
    Note You can enable TDE only when your RDS instance meets all of the conditions specified in the "Prerequisites" section.
  6. In the dialog box that appears, click Confirm.
    Note If you have not enabled KMS, you will be prompted to do so when you enable TDE. After you enable KMS as prompted, you can click Not activated to enable TDE.
  7. Click Configure TDE. In the Database TDE Settings dialog box, select the databases you want to encrypt from the Unselected Databases list, click the icon to add them to the Selected Databases list, and click OK.Configure TDE

Decrypt data

If you want to decrypt a database that is encrypted by TDE, you only need to remove the database from the Selected Databases list in the Database TDE Settings dialog box.