This topic describes how to configure Transparent Data Encryption (TDE) for your ApsaraDB RDS for SQL Server instance. TDE allows your RDS instance to encrypt the data that will be written into the disk and decrypt the data that will be read from the disk to the memory. TDE does not increase the sizes of data files. You can use TDE without the need to modify your application.
Prerequisites
- Your RDS instance is a primary instance that runs an Enterprise Edition of SQL Server. TDE is not supported for read-only instances.
- You have logged on to the ApsaraDB for RDS console by using your Alibaba Cloud account.
- Alibaba Cloud Key Management Service (KMS) is activated. If KMS is not activated, you can activate it as prompted when you enable TDE.
Background information
For data security purposes, we recommend that you enable TDE by using the ApsaraDB for RDS console or an API operation.
Precautions
- Instance-level TDE can be enabled but cannot be disabled. Database-level TDE can be enabled or disabled.
- The key used for TDE is created and managed by KMS. ApsaraDB for RDS does not provide the key or certificate that is required for encryption. After TDE is enabled, you must decrypt data on your RDS instance if you want to restore the data to your computer. For more information, see the "What to do next" section in this topic.
- After TDE is enabled, the CPU utilization of your RDS instance significantly increases.
Procedure
What to do next
If you no longer want to use TDE to protect a database, you can remove the database from the Selected Databases section in the Database TDE Settings dialog box.