This topic describes how to configure transparent data encryption (TDE) for an ApsaraDB RDS for MySQL instance. TDE can encrypt the data that will be written into the disk and decrypt the data that will be read from the disk to the memory. TDE does not increase the size of data files. You can use TDE without making changes to your application.
Prerequisites
- Your RDS instance runs one of the following MySQL versions and RDS editions:
- MySQL 8.0 on RDS High-availability Edition (with local SSDs)
- MySQL 5.7 on RDS High-availability Edition (with local SSDs)
- MySQL 5.6
- Alibaba Cloud Key Management Service (KMS) is activated. If KMS is not activated, you can activate it as prompted when you enable TDE.
Background information
Precautions
- When you enable TDE, a transient connection error occurs. Before you enable TDE, we recommend that you make appropriate arrangements for your workloads. In addition, proceed with caution.
- After TDE is enabled, you cannot disable TDE.
- After TDE is enabled, you cannot change the key that you use.
- After TDE is enabled, you must decrypt the data of your RDS instance if you want to restore the data to your computer. For more information, see the "Decrypt a table" section of this topic.
- After TDE is enabled, the CPU utilization of your RDS instance significantly increases.
- If your RDS instance runs MySQL 5.7, your normal workloads may be affected when you encrypt tables. We recommend that you configure your RDS instance not to concurrently encrypt a large number of tables.
- If you use an existing custom key, you must take note of the following items:
- If you disable the key, configure a plan to delete the key, or delete the key material, the key becomes unavailable.
- If you revoke the authorization of the key to your RDS instance, your RDS instance becomes unavailable after it restarts.
- You must use an Alibaba Cloud account or an account that has the AliyunSTSAssumeRoleAccess permission.
Note For more information about keys, see What is KMS?
Use an Alibaba Cloud-generated key
- In the dialog box that appears, select Use an Automatically Generated Key and click OK.
Use an existing custom key
- In the dialog box that appears, select Use an Existing Custom Key and click OK. Note If you do not have a custom key, you must click create a key. Then, you can create a key and import your own key material in the KMS console. For more information, see Manage CMKs.
Encrypt a table
Log on to the database whose table you want to encrypt. Then, execute the following statements to encrypt the table:
- MySQL 5.6
alter table <tablename> engine=innodb,block_format=encrypted; - MySQL 5.7 or 8.0
alter table <tablename> encryption='Y';
Decrypt a table
Log on to the database whose table you want to decrypt. Then, execute the following statements to decrypt the table:
- MySQL 5.6
alter table <tablename> engine=innodb,block_format=default; - MySQL 5.7 or 8.0
alter table <tablename> encryption='N';
FAQ
- After I enable TDE, can I still use common database tools, such as Navicat?
Yes, after you enable TDE, you can still use common database tools, such as Navicat.
- After I enable TDE, can I migrate data from my RDS instance to another RDS instance?
Yes, after you enable TDE, you can migrate data from your RDS instance to another RDS instance.
- After I enable TDE, why is my data still in plaintext?
After you enable TDE, your data is stored in ciphertext. However, when the data is queried, it is decrypted and then loaded in plaintext to the memory. TDE encrypts backup files to prevent data leaks. Before you restore the data of your RDS instance from an encrypted backup file to your computer, you must decrypt the file. For more information, see the "Decrypt a table" section of this topic.
References
Related operations
| Operation | Description |
|---|---|
| Enable the TDE function | Enables TDE for an ApsaraDB RDS instance. |