Transparent Data Encryption (TDE) encrypts and decrypts data in real time when files are written or read. It encrypts data when files are written to disks and decrypts data when files are loaded into memory from disks. TDE does not increase the sizes of data files. You can use TDE without the need to change applications.

Prerequisites

  • Your RDS instance runs one of the following MySQL versions and RDS editions:
    • MySQL 8.0 High-availability Edition (with local SSDs)
    • MySQL 5.7 High-availability Edition (with local SSDs)
    • MySQL 5.6
  • Key Management Service (KMS) is activated. If KMS is not activated, you can activate it when you enable TDE.

Background information

Encryption keys are created and managed by KMS. RDS does not provide the keys and certificates that are required for encryption. For specific zones, you can use the keys that are automatically generated by Alibaba Cloud or use your own key materials to generate data keys, and then authorize your RDS instance to use these keys.
Note After TDE is enabled, the encryption algorithm AES_128_ECB is used.

Precautions

  • Enabling TDE restarts your RDS instance and terminates all of its connections. Make appropriate service arrangements before you enable TDE. Proceed with caution.
  • After TDE is enabled, it cannot be disabled.
  • After TDE is enabled, you cannot change the key.
  • After TDE is enabled, if you want to restore data to your computer, you must decrypt data on your RDS instance.
  • After TDE is enabled, CPU utilization significantly increases.
  • If you use an existing custom key, note the following points:
    • If you disable a key, set a key deletion plan, or delete the key materials, the key becomes unavailable.
    • After you revoke the key that is authorized for an RDS instance, the RDS instance becomes unavailable after it is restarted.
    • You must use an Alibaba Cloud account or an account that has the AliyunSTSAssumeRoleAccess permission.
    Note For more information, see What is KMS?

Use a key that is automatically generated by Alibaba Cloud

  1. Log on to the ApsaraDB for RDS console.
  2. In the top navigation bar, select the region where the target RDS instance resides.
    Select a region
  3. Find the target instance and click its ID.
  4. In the left-side navigation pane, click Data Security.
  5. Click the TDE tab. Then, turn on TDE Status.
  6. In the dialog box that appears, select Use an Automatically Generated Key and click OK.
    Note After TDE is enabled, the encryption algorithm AES_128_ECB is used.

Use an existing custom key

  1. Log on to the ApsaraDB for RDS console.
  2. In the top navigation bar, select the region where the target RDS instance resides.
    Select a region
  3. Find the target instance and click its ID.
  4. In the left-side navigation pane, click Data Security.
  5. Click the TDE tab. Then, turn on TDE Status.
  6. In the dialog box that appears, select Use an Existing Custom Key and click OK.
    Note If you do not have a custom key, click create a key to go to the KMS console and import the key materials. For more information, see KMS.

Encrypt a table

Log on to the target database and execute one of the following statements to encrypt a table:

  • MySQL 5.6
    alter table <tablename> engine=innodb,block_format=encrypted;
  • MySQL 5.7 or MySQL 8.0
    alter table <tablename> encryption='Y';

Decrypt a table

Execute one of the following statements to decrypt a table that is encrypted with TDE:

  • MySQL 5.6
    alter table <tablename> engine=innodb,block_format=default;
  • MySQL 5.7 or MySQL 8.0
    alter table <tablename> encryption='N';

FAQ

  • Q: Can common database tools such as Navicat be used after TDE is enabled?

    A: Yes, common database tools such as Navicat can be used after TDE is enabled.

  • Q: Why is data still in plaintext after it is encrypted?

    A: Data is stored in ciphertext. However, when you query it, the data is decrypted and then loaded into memory in plaintext. After TDE is enabled, data is not leaked even if backup files are disclosed. The backup files are encrypted and cannot be used to restore data to your computer. If you want to restore data to your computer, you must first decrypt data.

References

Configure TDE for an ApsaraDB RDS for SQL Server instance

Related operations

Operation Description
ModifyDBInstanceTDE Enables TDE for an RDS instance.