This topic describes how to configure Transparent Data Encryption (TDE) for your ApsaraDB RDS for MySQL instance. TDE allows your RDS instance to encrypt the data that is to be written into the disk and decrypt the data that is to be read from the disk to the memory. TDE does not increase the sizes of data files. You can use TDE without the need to modify your application.

Prerequisites

  • Your RDS instance runs one of the following MySQL versions and RDS editions:
    • MySQL 8.0 on RDS High-availability Edition (with local SSDs)
    • MySQL 5.7 on RDS High-availability Edition (with local SSDs)
    • MySQL 5.6
  • Alibaba Cloud Key Management Service (KMS) is activated. If KMS is not activated, you can activate it as prompted when you enable TDE.

Background information

The key used for TDE is created and managed by KMS. ApsaraDB for RDS does not provide the required key or certificate. For specific zones, you can use an automatically generated key or a custom key that is generated by using your own key materials. You can authorize your RDS instance to use a custom key.
Note After you enable TDE, the AES_128_ECB algorithm is used to encrypt data.

Precautions

  • While you enable TDE, a transient connection error will occur. Therefore, before you enable TDE, we recommend that you make appropriate arrangements for your workloads. In addition, proceed with caution.
  • You cannot disable TDE after it is enabled.
  • You cannot change the key used for encryption after TDE is enabled.
  • After TDE is enabled, you must decrypt data on your RDS instance if you want to restore the data to your computer. For more information, see the "Decrypt a table" section in this topic.
  • After TDE is enabled, the CPU utilization of your RDS instance significantly increases.
  • If you use an existing custom key for encryption, you must note the following items:
    • If you disable the key, configure a plan to delete the key, or delete the key materials, the key becomes unavailable.
    • If you revoke the authorization of the key to your RDS instance, your RDS instance becomes unavailable after it is restarted.
    • You must use your Alibaba Cloud account or an account that has the AliyunSTSAssumeRoleAccess permission.
    Note For more information, see What is KMS?

Use an automatically generated key

  1. Log on to the ApsaraDB for RDS console.
  2. In the left-side navigation pane, click Instances. In the top navigation bar, select the region where your RDS instance resides.
    Select a region
  3. Find your RDS instance and click its ID.
  4. In the left-side navigation pane, click Data Security.
  5. On the TDE tab, turn on the switch next to TDE Status.
  6. In the dialog box that appears, select Use an Automatically Generated Key and click OK.

Use an existing custom key

  1. Log on to the ApsaraDB for RDS console.
  2. In the left-side navigation pane, click Instances. In the top navigation bar, select the region where your RDS instance resides.
    Select a region
  3. Find your RDS instance and click its ID.
  4. In the left-side navigation pane, click Data Security.
  5. On the TDE tab, turn on the switch next to TDE Status.
  6. In the dialog box that appears, select Use an Existing Custom Key and click OK.
    Note If you do not have a custom key, you can click create a key to go to the KMS console. On the KMS console, you can import your own key materials to create a custom key. For more information, see Manage CMKs.

Encrypt a table

Log on to the target database. Then, execute one of the following statements to encrypt a table:

  • MySQL 5.6
    alter table <tablename> engine=innodb,block_format=encrypted;
  • MySQL 5.7 or 8.0
    alter table <tablename> encryption='Y';

Decrypt a table

Log on to the target database. Then, execute one of the following statements to decrypt a table that is encrypted by using TDE:

  • MySQL 5.6
    alter table <tablename> engine=innodb,block_format=default;
  • MySQL 5.7 or 8.0
    alter table <tablename> encryption='N';

FAQ

  • After I enable TDE, can I still use common database tools, such as Navicat?

    Yes, after you enable TDE, you can still use common database tools, such as Navicat.

  • After I enable TDE, why is my data still in plaintext?

    After you enable TDE, your data is stored in ciphertext. However, when the data is queried, it is decrypted and then loaded to the memory in plaintext. TDE encrypts backup files to prevent data leaks. The encrypted backup files cannot be restored to your computer. If you want to restore these backup files to your computer, you must decrypt them. For more information, see the "Decrypt a table" section in this topic.

References

Configure TDE for an ApsaraDB RDS for SQL Server instance

Related operations

Operation Description
Enable TDE Enables TDE for an ApsaraDB for RDS instance.