This topic describes how to set Transparent Data Encryption (TDE) for an RDS for SQL Server instance. With TDE enabled, RDS can encrypt and decrypt incoming and outgoing data files in real time. Specifically, RDS encrypts data before the data is written into the disk, and decrypts data when the data is read from the disk to the memory. TDE does not increase the size of data files. Developers can use the TDE function without changing any applications.

For data security purposes, we recommend that you use the RDS console or call the ModifyDBInstanceTDE API action to enable TDE for your RDS instance.

Background information

To improve data security, you can use the RDS console or call the ModifyDBInstanceTDE API action to enable TDE, which can encrypt data.

Precautions

  • Instance-level TDE can be enabled but cannot be disabled. Database-level TDE can be enabled or disabled as needed.
  • The keys used for data encryption are generated and managed by Key Management Service (KMS). RDS does not provide the keys or certificates used for data encryption. After TDE is activated, if you want to restore data to your computer, you must first use RDS to decrypt data.
  • TDE increases CPU usage.

Prerequisites

  • The used DB engine version is RDS for SQL Server.
  • You have logged in to the Alibaba Cloud console by using your Alibaba Cloud account.
  • KMS has been activated. If you have not activated KMS, you can activate it as instructed when activating TDE.

Enable TDE

  1. Log on to the RDS console.
  2. In the upper-left corner, select the region where the target RDS instance is located.
    选择地域
  3. Find the target RDS instance and click the instance ID.
  4. In the left-side navigation pane, click Data Security.
  5. On the TDE tab, find TDE Status and click the switch next to Disabled.
    开通TDE
  6. In the displayed dialog box, click Confirm.
  7. Click the button for setting TDE. In the Database TDE Settings dialog box, select the databases you want to encrypt from the Unselected Databases list, click the right arrow to add them to the Selected Databases list, and click OK.
    设置TDE

Decrypt data

If you want to decrypt a database that is encrypted by TDE, you can remove the database from the Selected Databases list in the Database TDE Settings dialog box.