This topic describes how to configure Transparent Data Encryption (TDE) for an ApsaraDB RDS for MySQL instance. You can use TDE to perform real-time I/O encryption and decryption on data files. Data is encrypted before it is written to a disk and decrypted when it is read from a disk and written to the memory. TDE does not increase the size of data files. Developers can use TDE without the need to modify the configuration data on their applications.

Prerequisites

  • Your RDS instance runs one of the following MySQL versions and RDS editions:
    • MySQL 8.0 on RDS High-availability Edition with local SSDs
    • MySQL 5.7 on RDS High-availability Edition with local SSDs
    • MySQL 5.7 on RDS Enterprise Edition with local SSDs
    • MySQL 5.6
  • Key Management Service (KMS) is activated. If KMS is not activated, you can activate it when you enable TDE.

Background information

The key that is used for TDE is created and managed by KMS. ApsaraDB RDS does not provide the key or certificates that are required for TDE. Some zones support automatically generated keys or custom keys that are generated from your key materials. You must authorize your RDS instance to use an automatically generated key or a custom key.
Note After you enable TDE, the AES_128_ECB algorithm is used for TDE.

Precautions

  • We recommend that you update the minor engine version of your RDS instance to the latest version to ensure the stability of the instance. If your RDS instance is attached with read-only RDS instances, we recommend that you update the minor engine versions of your RDS instance and all the read-only RDS instances to the latest version. For more information, see Update the minor engine version of an ApsaraDB RDS for MySQL instance.
  • When you enable TDE, your RDS instance restarts. The restart causes a transient connection. Proceed with caution. We recommend that you make appropriate arrangements for your workloads before you enable TDE.
  • After you enable TDE, you cannot disable this feature.
  • After you enable TDE, you cannot change the key that you use for TDE.
  • If you want to restore the data of your RDS instance to your computer after TDE is enabled, you must decrypt the data on your RDS instance. For more information, see the "Decrypt a table" section of this topic.
  • After you enable TDE, the CPU utilization of your RDS instance significantly increases.
  • If you use an existing custom key for TDE, take note of the following information:
    • If you disable a key, configure a key deletion plan, or delete the key material, the key becomes unavailable.
    • If you revoke the key that is authorized for your RDS instance, the instance becomes unavailable after it restarts.
    • You must use an Alibaba Cloud account or an account that has the AliyunSTSAssumeRoleAccess permission.
    Note For more information about keys, see What is KMS?

Use an automatically generated key

  1. Visit the RDS instance list, select a region above, and click the target instance ID.
  2. In the left-side navigation pane, click Data Security.
  3. On the TDE tab, turn on the switch next to TDE Status.
  4. In the dialog box that appears, select Use an Automatically Generated Key and click OK.

Use an existing custom key

  1. Visit the RDS instance list, select a region above, and click the target instance ID.
  2. In the left-side navigation pane, click Data Security.
  3. On the TDE tab, turn on the switch next to TDE Status.
  4. In the dialog box that appears, select Use an Existing Custom Key and click OK.
    Note If you do not have a custom key, you can click create a key to create a key and import your key material in the KMS console. For more information, see Manage CMKs.

Encrypt a table on an RDS instance

Log on to the RDS instance and perform the following operations:

  • If the RDS instance runs MySQL 5.6, run the following command: 
    alter table <tablename> engine=innodb,block_format=encrypted;
  • If the RDS instance runs MySQL 5.7 or MySQL 8.0, run the following command: 
    alter table <tablename> encryption='Y';

Decrypt a table on an RDS instance

Log on to the RDS instance and perform the following operations:

  • If the RDS instance runs MySQL 5.6, run the following command: 
    alter table <tablename> engine=innodb,block_format=default;
  • If the RDS instance runs MySQL 5.7 or MySQL 8.0, run the following command: 
    alter table <tablename> encryption='N';

FAQ

  • After I enable TDE, can I still use common database tools, such as Navicat?

    Yes, after you enable TDE, you can still use common database tools, such as Navicat.

  • After I enable TDE, can I migrate data from my RDS instance to a different RDS instance?

    Yes, after you enable TDE, you can migrate data from your RDS instance to a different RDS instance.

  • After I enable TDE, why is my data still in plaintext?

    After you enable TDE, your data is stored in ciphertext. However, when the data is queried, it is decrypted and then loaded in plaintext to the memory. TDE encrypts backup files to prevent data leaks. Before you restore the data of your RDS instance from an encrypted backup file to your computer, you must decrypt the file. For more information, see the "Decrypt a table" section of this topic.

References

Configure TDE for an ApsaraDB RDS for SQL Server instance

Related operations

Operation Description
Enable the TDE Enables TDE for an ApsaraDB RDS instance.