Set TDE for an RDS MySQL instance - RDS MySQL Database| Alibaba Cloud Documentation Center

Set TDE for an RDS MySQL instance

Edit in GitHub

Last Updated: Jan 06, 2020 Edit in GitHub

This topic describes how to set Transparent Data Encryption (TDE) for an RDS MySQL instance. With TDE enabled, RDS can encrypt and decrypt incoming and outgoing data files in real time. Specifically, RDS encrypts data before the data is written into the disk, and decrypts data when the data is read from the disk to the memory. TDE does not increase the size of data files. Developers can use the TDE function without changing any applications.

Prerequisites

The DB engine version of your RDS instance is MySQL 5.6.
Key Management Service (KMS) has been activated. If you have not activated KMS, you can activate it as instructed when activating TDE.

Precautions

TDE cannot be disabled once it is activated.
After TDE is activated, you cannot change keys.
After TDE is activated, if you want to restore data to your computer, you must first use RDS to decrypt data.
TDE increases CPU usage.

Use a key automatically generated by Alibaba Cloud

Log on to the RDS console.
In the upper-left corner, select the region where the target RDS instance is located.
Find the target RDS instance and click the instance ID.
In the left-side navigation pane, click Data Security.
On the TDE tab, find TDE Status and click the switch next to Disabled.
In the displayed dialog box, click Confirm.

Encrypt a table

Log on to the target database and run the following command to encrypt a table:

alter table <tablename> engine＝innodb,block_format=encrypted;

Decrypt a table

Run the following command to decrypt a table that has been encrypted by using TDE:

alter table <tablename> engine＝innodb,block_format=default;

APIs


API	Description
ModifyDBInstanceTDE	Used to enable TDE for an RDS instance.