AnalyticDB for MySQL provides the disk encryption feature. This feature encrypts the data on each disk in your cluster based on block storage. This way, your data cannot be decrypted even if it is leaked.


After disk encryption is enabled, AnalyticDB for MySQL creates an encrypted disk, attaches the disk to an Elastic Compute Service (ECS) instance, and encrypts the following data in the disk:
  • All data in reserved clusters
  • Hot data in elastic clusters
    Note Cold data in elastic clusters is not stored on disks and cannot be encrypted within elastic clusters.
  • Data that is transmitted between disks and clusters
  • All snapshots of the encrypted disk, which are classified as encrypted snapshots


  • Disk encryption can be enabled for an AnalyticDB for MySQL cluster when you first create the cluster. You cannot enable this feature after the cluster is created.
  • Disk encryption cannot be disabled after it is enabled.
  • After disk encryption is enabled, both the snapshots generated from reserved clusters and the reserved clusters created from those snapshots are automatically encrypted.
  • If you enable disk encryption, the read and write performance of the cluster is affected. Typically, the read and write performance is reduced by about 10%.
  • You do not need to modify the code to allow access to the services.


Disk encryption requires the use of Key Management Service (KMS). You are charged for key management and API calls in KMS. For more information, see Billing.

Method to enable disk encryption

Disk encryption can be enabled only when you create an AnalyticDB for MySQL cluster. For more information, see Create a cluster. To enable disk encryption, you must specify the related parameters on the cluster buy page.

  1. On the cluster buy page, select Disk Encryption.
  2. If you enable disk encryption for the first time, click Create Service Linked Role.
    • Create Service Linked Role is required only when disk encryption is enabled for the first time. If Created is displayed in the Service-linked Role section, a service-linked role has already been created. You can skip this step.
    • If you want to use disk encryption, you must authorize the service-linked role and use related KMS features. For more information, see Manage the service-linked role for disk encryption.
  3. Select the key that you want to use from the Key drop-down list.
    • If no keys are available in the drop-down list, you must create a key. For more information, see Create a CMK.
    • Disk encryption of AnalyticDB for MySQL supports only the keys that are manually created. When you create a key in the KMS console, you must set Rotation Period to Disable.
    • After KMS is activated, ActionTrail records the operations that you perform on KMS resources. For more information, see Use ActionTrail to query KMS event logs.

    After you specify the disk encryption parameters, perform the subsequent steps in Create a cluster to create the cluster.