This topic describes how to set Transparent Data Encryption (TDE) for an RDS MySQL instance. With TDE enabled, RDS can encrypt and decrypt incoming and outgoing data files in real time. Specifically, RDS encrypts data before the data is written into the disk, and decrypts data when the data is read from the disk to the memory. TDE does not increase the size of data files. Developers can use the TDE function without changing any applications.


  • The DB engine version of your RDS instance is MySQL 5.6.
  • Key Management Service (KMS) has been activated. If you have not activated KMS, you can activate it as instructed when activating TDE.


  • TDE cannot be disabled once it is activated.
  • After TDE is activated, you cannot change keys.
  • After TDE is activated, if you want to restore data to your computer, you must first use RDS to decrypt data.
  • TDE increases CPU usage.

Use a key automatically generated by Alibaba Cloud

  1. Log on to the RDS console.
  2. In the upper-left corner, select the region where the target RDS instance is located.
  3. Find the target RDS instance and click the instance ID.
  4. In the left-side navigation pane, click Data Security.
  5. On the TDE tab, find TDE Status and click the switch next to Disabled.
  6. In the displayed dialog box, click Confirm.

Encrypt a table

Log on to the target database and run the following command to encrypt a table:

alter table <tablename> engine=innodb,block_format=encrypted;

Decrypt a table

Run the following command to decrypt a table that has been encrypted by using TDE:

alter table <tablename> engine=innodb,block_format=default;


API Description
ModifyDBInstanceTDE Used to enable TDE for an RDS instance.