This topic describes how to configure Transparent Data Encryption (TDE) for an ApsaraDB RDS for SQL Server instance. TDE can perform real-time I/O encryption and decryption on data files. Data is encrypted before it is written to a disk. Data is also decrypted when it is read from a disk and written to the memory. TDE does not increase the size of data files. Developers can use TDE without the need to modify the configuration data on their applications.

Prerequisites

  • Your RDS instance runs SQL Server 2019 SE or an Enterprise Edition of SQL Server.
  • Your RDS instance is not a read-only instance. For more information, see Create a read-only ApsaraDB RDS for SQL Server instance.
  • If you want to use Bring Your Own Keys (BYOKs), the certificate, private key, and password that are used for encryption and decryption.

Precautions

  • After instance-level TDE is enabled, it cannot be disabled. Database-level TDE can be enabled or disabled.
  • If you use Key Management Service (KMS) to generate a key after you enable TDE, you must decrypt data on your RDS instance before you can restore the data to your computer. For more information, see the "What to do next" section of this topic.
  • After you enable TDE, the CPU utilization of your RDS instance significantly increases.

Procedure

  1. Visit the RDS instance list, select a region above, and click the target instance ID.
  2. In the left-side navigation pane, click Data Security.
  3. On the TDE tab, turn on the switch next to TDE Status.
    Note You can enable TDE only when your RDS instance meets the requirements that are described in the "Prerequisites" section of this topic.
    TDE
  4. Select a key.
    Select a key
    • If you select the Use a key automatically generated by Alibaba Cloud option, perform the following operations:
      In the TDE Settings dialog box, select databases from the Unselected Databases section, click the icon to move the selected databases to the Selected Databases section, and then click OK. TDE Settings
    • If you select the Encrypt with own SQL Server key option, perform the following operations:
      1. Upload the certificate file and the private key file to your OSS bucket. For more information, see Upload objects. Upload the certificate file and the private key file to your OSS bucket
      2. Click Next and configure the parameters related to the key. Encrypt with own SQL Server key
        Parameter Description
        OSS Bucket The OSS bucket in which the certificate file and the private key file are stored.
        Certificate The certificate file that you uploaded to the OSS bucket.
        Private key The private key file that you uploaded to the OSS bucket.
        Password The password of your own SQL Server key.
      3. Click Next to go to the Authorization Database page.
        Select databases from the Unselected Databases section, click the icon to move the selected databases to the Selected Databases section, and then click OK. Authorization Database

What to do next

If you no longer want to use TDE to protect a database, you can remove the database from the Selected Databases section in the TDE Settings dialog box.