We recommend that you use the Transparent Data Encryption (TDE) feature for your ApsaraDB RDS for SQL Server instance in scenarios such as security compliance or data-at-rest encryption. This topic describes how to use TDE to perform real-time I/O encryption and decryption on data files and ensure that sensitive data is encrypted before it is written to a disk and is decrypted when it is read from a disk to the memory. This prevents attackers from bypassing databases to read sensitive information from storage and improves the security of sensitive data in databases. After TDE is enabled for your RDS instance, the size of data files in the instance does not increase. You can use TDE without the need to modify the configurations of your application.
Prerequisites
The RDS instance runs one of the following database engine versions:
SQL Server 2019 SE, SQL Server 2022 SE, and SQL Server EE
The RDS instance belongs to the general-purpose or dedicated instance family. The shared instance family is not supported.
Read-only RDS instances do not support this feature.
If you want to use Bring Your Own Keys (BYOKs), obtain the certificate, private key, and password that are used for encryption and decryption in advance.
Usage notes
You cannot disable TDE after it is enabled for an RDS instance. You can enable or disable TDE for a database based on your business requirements.
If you use a service key that is provided by Alibaba Cloud for an RDS instance and enable TDE for the RDS instance, you must disable TDE for the RDS instance before you restore the data of the RDS instance to a self-managed database. For more information, see Disable TDE.
NoteAfter you disable TDE, some transaction logs are still encrypted. The backup files that are downloaded cannot be used to restore the data of the RDS instance. In this case, wait until three log backups and one full backup are complete on the RDS instance. Then, download the most recent full backup file that is generated. This full backup file contains the decrypted data of the RDS instance. For more information, see Database Encryption in SQL Server 2008 Enterprise Edition. For more information about how to configure a backup policy, see Back up an ApsaraDB RDS for SQL Server instance.
After you enable TDE for an RDS instance, the CPU utilization of the RDS instance significantly increases.
Enable TDE
- Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.
In the left-side navigation pane, click Data Security.
On the TDE tab, turn on the switch next to Disabled.
NoteYou can enable TDE only when your RDS instance meets all of the conditions specified in the "Prerequisites" section.
In the dialog box that appears, select a key type and click OK.
Use the key automatically generated by Alibaba Cloud
Select databases from the Unselected Databases section, click the icon to move the selected databases to the Selected Databases section, and then click Confirm.
Encrypt with own SQL Server key
Upload the certificate file and the private key file to your OSS bucket. For more information, see Upload objects.
Click Next step and configure the following parameters.
Parameter
Description
OSS Bucket
The OSS bucket in which the certificate file and the private key file are stored.
Certificate
The certificate file that you uploaded to the OSS bucket.
Private key
The private key file that you uploaded to the OSS bucket.
Password
The password of your own SQL Server key.
Click Next step to go to the Authorization database step.
Select databases from the Unselected Databases section, click the icon to move the selected databases to the Selected Databases section, and then click Confirm.
Disable TDE
After TDE is enabled for an RDS instance, TDE cannot be disabled. To disable TDE for a database, you can remove the database from the Selected Databases section.
- Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.
In the left-side navigation pane, click Data Security.
Click the TDE tab. Then, click TDE Settings.
Select databases from the Selected Databases section, click the icon to move the selected databases to the Unselected Databases section, and then click OK.
After you disable TDE, some transaction logs are still encrypted. The backup files that are downloaded cannot be used to restore the data of the RDS instance. In this case, wait until three log backups and one full backup are complete on the RDS instance. Then, download the most recent full backup file that is generated. This full backup file contains the decrypted data of the RDS instance. For more information, see Database Encryption in SQL Server 2008 Enterprise Edition. For more information about how to configure a backup policy, see Back up an ApsaraDB RDS for SQL Server instance.
References
For more information about how to enable TDE by calling an API operation, see ModifyDBInstanceTDE.
For more information about how to encrypt the connections to an RDS instance by using SSL encryption, see Configure the SSL encryption feature.