Set TDE for an RDS SQL Server instance - RDS SQL Server Database| Alibaba Cloud Documentation Center

Set TDE for an RDS SQL Server instance

Edit in GitHub

Last Updated: Jan 15, 2020 Edit in GitHub

This topic describes how to set Transparent Data Encryption (TDE) for an RDS SQL Server instance. With TDE enabled, RDS can encrypt and decrypt incoming and outgoing data files in real time. Specifically, RDS encrypts data before the data is written into the disk, and decrypts data when the data is read from the disk to the memory. TDE does not increase the size of data files. Developers can use the TDE function without changing any applications.

For data security purposes, we recommend that you use the RDS console or call the ModifyDBInstanceTDE API action to enable TDE for your RDS instance.

Background information

To improve data security, you can use the RDS console or call the ModifyDBInstanceTDE API action to enable TDE, which can encrypt data.

Precautions

Instance-level TDE can be enabled but cannot be disabled. Database-level TDE can be enabled or disabled as needed.
The keys used for data encryption are generated and managed by Key Management Service (KMS). RDS does not provide the keys or certificates used for data encryption. After TDE is activated, if you want to restore data to your computer, you must first use RDS to decrypt data.
TDE increases CPU usage.

Prerequisites

The used DB engine version is RDS SQL Server.
You have logged in to the Alibaba Cloud console by using your Alibaba Cloud account.
KMS has been activated. If you have not activated KMS, you can activate it as instructed when activating TDE.

Enable TDE

Log on to the RDS console.
In the upper-left corner, select the region where the target RDS instance is located.
Find the target RDS instance and click the instance ID.
In the left-side navigation pane, click Data Security.
On the TDE tab, find TDE Status and click the switch next to Disabled.
In the displayed dialog box, click Confirm.
Click the button for setting TDE. In the Database TDE Settings dialog box, select the databases you want to encrypt from the Unselected Databases list, click the right arrow to add them to the Selected Databases list, and click OK.

Decrypt data

If you want to decrypt a database that is encrypted by TDE, you can remove the database from the Selected Databases list in the Database TDE Settings dialog box.