This topic describes how to configure Transparent Data Encryption (TDE) for your ApsaraDB RDS for MySQL instance. TDE allows your RDS instance to encrypt the data that is to be written into the disk and decrypt the data that is to be read from the disk to the memory. TDE does not increase the sizes of data files. You can use TDE without the need to modify your application.
Prerequisites
- Your RDS instance runs one of the following MySQL versions and RDS editions:
- MySQL 8.0 on RDS High-availability Edition (with local SSDs)
- MySQL 5.7 on RDS High-availability Edition (with local SSDs)
- MySQL 5.6
- Alibaba Cloud Key Management Service (KMS) is activated. If KMS is not activated, you can activate it as prompted when you enable TDE.
Background information
Precautions
- While you enable TDE, a transient connection error will occur. Therefore, before you enable TDE, we recommend that you make appropriate arrangements for your workloads. In addition, proceed with caution.
- You cannot disable TDE after it is enabled.
- You cannot change the key used for encryption after TDE is enabled.
- After TDE is enabled, you must decrypt data on your RDS instance if you want to restore the data to your computer. For more information, see the "Decrypt a table" section in this topic.
- After TDE is enabled, the CPU utilization of your RDS instance significantly increases.
- If you use an existing custom key for encryption, you must note the following items:
- If you disable the key, configure a plan to delete the key, or delete the key materials, the key becomes unavailable.
- If you revoke the authorization of the key to your RDS instance, your RDS instance becomes unavailable after it is restarted.
- You must use your Alibaba Cloud account or an account that has the AliyunSTSAssumeRoleAccess permission.
Note For more information, see What is KMS?
Use an automatically generated key
- In the left-side navigation pane, click Instances. In the top navigation bar, select the region where your RDS instance resides.
- On the TDE tab, turn on the switch next to TDE Status.
- In the dialog box that appears, select Use an Automatically Generated Key and click OK.
Use an existing custom key
- In the left-side navigation pane, click Instances. In the top navigation bar, select the region where your RDS instance resides.
- On the TDE tab, turn on the switch next to TDE Status.
- In the dialog box that appears, select Use an Existing Custom Key and click OK. Note If you do not have a custom key, you can click create a key to go to the KMS console. On the KMS console, you can import your own key materials to create a custom key. For more information, see Manage CMKs.
Encrypt a table
Log on to the target database. Then, execute one of the following statements to encrypt a table:
- MySQL 5.6
alter table <tablename> engine=innodb,block_format=encrypted; - MySQL 5.7 or 8.0
alter table <tablename> encryption='Y';
Decrypt a table
Log on to the target database. Then, execute one of the following statements to decrypt a table that is encrypted by using TDE:
- MySQL 5.6
alter table <tablename> engine=innodb,block_format=default; - MySQL 5.7 or 8.0
alter table <tablename> encryption='N';
FAQ
- After I enable TDE, can I still use common database tools, such as Navicat?
Yes, after you enable TDE, you can still use common database tools, such as Navicat.
- After I enable TDE, why is my data still in plaintext?
After you enable TDE, your data is stored in ciphertext. However, when the data is queried, it is decrypted and then loaded to the memory in plaintext. TDE encrypts backup files to prevent data leaks. The encrypted backup files cannot be restored to your computer. If you want to restore these backup files to your computer, you must decrypt them. For more information, see the "Decrypt a table" section in this topic.
References
Related operations
| Operation | Description |
|---|---|
| Enable TDE | Enables TDE for an ApsaraDB for RDS instance. |