All Products
Search

This Product

    AnalyticDB:Disk encryption

    Document Center

    AnalyticDB:Disk encryption

    Last Updated:Mar 28, 2026

    Disk encryption protects data at rest on AnalyticDB for PostgreSQL instances that run in Elastic Storage Mode. It encrypts the entire data disk using block storage—including all snapshots created from that disk—so data remains protected even if storage media is compromised. The feature is free to use.

    What gets encrypted

    Enabling disk encryption protects the following:

    • Data at rest on the disk

    • Data transmitted between the disk and the instance (data on the system disk is not encrypted)

    • All snapshots created from the encrypted disk

    Prerequisites

    Before you enable disk encryption, create a Key Management Service (KMS) encryption key that meets the following requirements:

    • Key type: Only manually created service keys (standard keys) are supported.

    • Key rotation: When creating a standard key, set Rotation Period to Disabled.

    • Account status: Make sure your KMS account has no overdue payments. If the KMS account balance becomes overdue, the disk cannot be decrypted and the instance becomes unavailable.

    For instructions on creating a key, see Create a key. For more information about KMS, see What is Key Management Service.

    Limitations

    • Disk encryption can only be enabled at instance creation time. You cannot enable it on an existing unencrypted instance.

    • Disk encryption cannot be disabled after it is enabled.

    • Snapshots and instances created from encrypted snapshots automatically inherit the encryption property.

    • Disk encryption does not affect running services or require application changes.

    Billing

    The disk encryption feature is free. No extra fees are charged for read and write operations on the disk.

    KMS incurs key management fees and API call fees. For details, see KMS 1.0 billing details.

    Enable disk encryption

    When you create an AnalyticDB for PostgreSQL instance, set the following parameters:

    1. Set Instance Resource Type to Elastic Storage Mode.

    2. Set Encryption Type to Disk Encryption.

    3. Select an encryption key. If you have not created a key yet, follow the on-screen instructions to enable KMS and create one.

      When you grant permissions to enable KMS, audit records are generated in ActionTrail. For details, see Use ActionTrail to query KMS event logs.

    4. Click Buy Now.

    Verify disk encryption

    1. Go to the AnalyticDB for PostgreSQL instances page. In the top navigation bar, select the region, then click the instance ID.

    2. In the Basic Information section, check whether the Key parameter is displayed. If it is, disk encryption is enabled.

    KMS key management

    Warning

    If a KMS key is deleted or disabled, disk data becomes inaccessible, the instance becomes unavailable, and data is permanently lost. Do not delete or disable a KMS key that is in use.

    Keep the following in mind to maintain uninterrupted access to your encrypted instance:

    • Keep the KMS key in an active state for the lifetime of the instance.

    • Monitor your KMS account balance to prevent service interruption due to overdue payments.

    API reference

    APIDescription
    CreateDBInstanceCreates an AnalyticDB for PostgreSQL instance