This topic describes how to configure transparent data encryption (TDE) for an ApsaraDB RDS for MySQL instance. TDE can encrypt the data that will be written into the disk and decrypt the data that will be read from the disk to the memory. TDE does not increase the size of data files. You can use TDE without making changes to your application.
Prerequisites
- Your RDS instance runs one of the following MySQL versions and RDS editions:
- MySQL 8.0 on RDS High-availability Edition (with local SSDs)
- MySQL 5.7 on RDS High-availability Edition (with local SSDs)
- RDS MySQL 5.6
- Alibaba Cloud Key Management Service (KMS) is activated. If KMS is not activated, you can activate it as prompted when you enable TDE.
Background information
Precautions
- When you enable TDE, a transient connection error occurs. Before you enable TDE, we recommend that you make appropriate arrangements for your workloads. In addition, proceed with caution.
- After TDE is enabled, you cannot disable TDE.
- After TDE is enabled, you cannot change the key that you use.
- After TDE is enabled, you must decrypt the data of your RDS instance if you want to restore the data to your computer. For more information, see the "Decrypt a table" section of this topic.
- After TDE is enabled, the CPU utilization of your RDS instance significantly increases.
- If you use an existing custom key, you must take note of the following items:
- If you disable the key, configure a plan to delete key, or delete the key material, the key becomes unavailable.
- If you revoke the authorization of the key to your RDS instance, your RDS instance becomes unavailable after it restarts.
- You must use an Alibaba Cloud account or an account that has the AliyunSTSAssumeRoleAccess permission.
Note For more information about keys, see What is KMS?
Use an Alibaba Cloud-generated key
Use an existing custom key
Encrypt a table
Log on to the database where the table you want to encrypt resides. Then, execute the following statement to encrypt the table:
- MySQL 5.6
alter table <tablename> engine=innodb,block_format=encrypted;
- MySQL 5.7 or 8.0
alter table <tablename> encryption='Y';
Decrypt a table
Log on to the database where the table you want to decrypt resides. Then, execute the following statement to decrypt the table:
- MySQL 5.6
alter table <tablename> engine=innodb,block_format=default;
- MySQL 5.7 or 8.0
alter table <tablename> encryption='N';
FAQ
- After I enable TDE, can I still use common database tools, such as Navicat?
Yes, after you enable TDE, you can still use common database tools, such as Navicat.
- After I enable TDE, why is my data still in plaintext?
After you enable TDE, your data is stored in ciphertext. However, when the data is queried, it is decrypted and then loaded in plaintext to the memory. TDE encrypts backup files to prevent data leaks. Before you restore the data of your RDS instance from an encrypted backup file to your computer, you must decrypt the file. For more information, see the "Decrypt a table" section of this topic.
References
Related operations
Operation | Description |
---|---|
Enable the TDE function | Enables TDE for an ApsaraDB RDS instance. |