This topic describes how to configure transparent data encryption (TDE) for an ApsaraDB RDS for MySQL instance. TDE can encrypt the data that will be written into the disk and decrypt the data that will be read from the disk to the memory. TDE does not increase the size of data files. You can use TDE without making changes to your application.

Prerequisites

  • Your RDS instance runs one of the following MySQL versions and RDS editions:
    • MySQL 8.0 on RDS High-availability Edition (with local SSDs)
    • MySQL 5.7 on RDS High-availability Edition (with local SSDs)
    • RDS MySQL 5.6
  • Alibaba Cloud Key Management Service (KMS) is activated. If KMS is not activated, you can activate it as prompted when you enable TDE.

Background information

The key that is used for TDE is generated and managed by KMS. ApsaraDB RDS does not provide the key or certificate that you require. For specific zones, you can use an Alibaba Cloud-generated key or a custom key that is generated by using your own key material. Then, you can authorize your RDS instance to use the Alibaba Cloud-generated key or the custom key.
Note After you enable TDE, the AES_128_ECB algorithm is used to encrypt data.

Precautions

  • When you enable TDE, a transient connection error occurs. Before you enable TDE, we recommend that you make appropriate arrangements for your workloads. In addition, proceed with caution.
  • After TDE is enabled, you cannot disable TDE.
  • After TDE is enabled, you cannot change the key that you use.
  • After TDE is enabled, you must decrypt the data of your RDS instance if you want to restore the data to your computer. For more information, see the "Decrypt a table" section of this topic.
  • After TDE is enabled, the CPU utilization of your RDS instance significantly increases.
  • If you use an existing custom key, you must take note of the following items:
    • If you disable the key, configure a plan to delete key, or delete the key material, the key becomes unavailable.
    • If you revoke the authorization of the key to your RDS instance, your RDS instance becomes unavailable after it restarts.
    • You must use an Alibaba Cloud account or an account that has the AliyunSTSAssumeRoleAccess permission.
    Note For more information about keys, see What is KMS?

Use an Alibaba Cloud-generated key

  1. Go to the Data Security page.
    1. Log on to the ApsaraDB for RDS console. In the left-side navigation pane, click Instances. In the top navigation bar, select the region where your RDS instance resides.
      选择地域
    2. Find your RDS instance and click its ID. In the left-side navigation pane, click Data Security.
  2. On the TDE tab, turn on the switch next to TDE Status.
  3. In the dialog box that appears, select Use an Automatically Generated Key and click OK.

Use an existing custom key

  1. Go to the Data Security page.
    1. Log on to the ApsaraDB for RDS console. In the left-side navigation pane, click Instances. In the top navigation bar, select the region where your RDS instance resides.
      选择地域
    2. Find your RDS instance and click its ID. In the left-side navigation pane, click Data Security.
  2. On the TDE tab, turn on the switch next to TDE Status.
  3. In the dialog box that appears, select Use an Existing Custom Key and click OK.
    Note If you do not have a custom key, you must click go to the KMS console. Then, you can create a key and import your own key material in the KMS console. For more information, see Manage CMKs.

Encrypt a table

Log on to the database where the table you want to encrypt resides. Then, execute the following statement to encrypt the table:

  • MySQL 5.6
    alter table <tablename> engine=innodb,block_format=encrypted;
  • MySQL 5.7 or 8.0
    alter table <tablename> encryption='Y';

Decrypt a table

Log on to the database where the table you want to decrypt resides. Then, execute the following statement to decrypt the table:

  • MySQL 5.6
    alter table <tablename> engine=innodb,block_format=default;
  • MySQL 5.7 or 8.0
    alter table <tablename> encryption='N';

FAQ

  • After I enable TDE, can I still use common database tools, such as Navicat?

    Yes, after you enable TDE, you can still use common database tools, such as Navicat.

  • After I enable TDE, why is my data still in plaintext?

    After you enable TDE, your data is stored in ciphertext. However, when the data is queried, it is decrypted and then loaded in plaintext to the memory. TDE encrypts backup files to prevent data leaks. Before you restore the data of your RDS instance from an encrypted backup file to your computer, you must decrypt the file. For more information, see the "Decrypt a table" section of this topic.

References

Configure TDE for an ApsaraDB RDS for SQL Server instance

Related operations

Operation Description
Enable the TDE function Enables TDE for an ApsaraDB RDS instance.