Enables Transparent Data Encryption (TDE) for an instance.
Operation Description
TDE can perform real-time I/O encryption and decryption on data files. TDE encrypts data before the data is written to a disk, and decrypts data before the data is read from a disk and written to the memory. For more information, see Configure TDE for an ApsaraDB RDS for MySQL instance.
Before you call this operation, make sure that the following requirements are met:
Key Management Service (KMS) is activated. If KMS is not activated, you can activate KMS when you enable TDE.
The instance must run one of the following database engine versions and RDS editions:
- MySQL 8.0 (with a minor engine version of 20191015 or later) on RDS High-availability Edition with local disks
- MySQL 5.7 (with a minor engine version of 20191015 or later) on RDS High-availability Edition with local disks
- MySQL 5.6
- SQL Server 2019 SE or an Enterprise Edition of SQL Server
- PostgreSQL 10, PostgreSQL 11, PostgreSQL 12, PostgreSQL 13, PostgreSQL 14, PostgreSQL 15 with cloud disks and a minor engine version of 20221030 or later
Authorization information
The following table shows the authorization information corresponding to the API. The authorization information can be used in the Action policy element to grant a RAM user or RAM role the permissions to call this API operation. Description:
- Operation: the value that you can use in the Action element to specify the operation on a resource.
- Access level: the access level of each operation. The levels are read, write, and list.
- Resource type: the type of the resource on which you can authorize the RAM user or the RAM role to perform the operation. Take note of the following items:
- The required resource types are displayed in bold characters.
- If the permissions cannot be granted at the resource level,
All Resourcesis used in the Resource type column of the operation.
- Condition Key: the condition key that is defined by the cloud service.
- Associated operation: other operations that the RAM user or the RAM role must have permissions to perform to complete the operation. To complete the operation, the RAM user or the RAM role must have the permissions to perform the associated operations.
| Operation | Access level | Resource type | Condition key | Associated operation |
|---|---|---|---|---|
| rds:ModifyDBInstanceTDE | WRITE |
|
| none |
Request parameters
| Parameter | Type | Required | Description | Example |
|---|---|---|---|---|
| DBInstanceId | string | Yes | The ID of the instance. You can call the DescribeDBInstances operation to query the ID of the instance. | rm-uf6wjk5**** |
| TDEStatus | string | Yes | The status of TDE. Valid values:
| Enabled |
| DBName | string | No | The name of the database for which you want to enable TDE. You can specify up to 50 database names in a single request. If you specify multiple database names, separate the database names with commas (,). NoteThis parameter is available and must be specified only when the instance runs SQL Server 2019 SE or an Enterprise Edition of SQL Server. | testDB |
| EncryptionKey | string | No | The ID of the custom key. NoteThis parameter is available when the instance runs MySQL or PostgreSQL. | 749c1df7-****-****-****-**** |
| RoleArn | string | No | The Alibaba Cloud Resource Name (ARN) of the RAM role. A RAM role is a virtual identity that you can create within your Alibaba Cloud account. For more information, see RAM role overview. NoteThis parameter is available when the instance runs MySQL or PostgreSQL. | acs:ram::1406926****:role/aliyunrdsinstanceencryptiondefaultrole |
| Certificate | string | No | The file that contains the certificate.
Note
| oss-ap-southeast-1.aliyuncs.com:****:key.cer |
| PrivateKey | string | No | The file that contains the private key of the certificate.
Note
| oss-ap-southeast-1.aliyuncs.com:****:key.pvk |
| PassWord | string | No | The password of the certificate. NoteThis parameter is available when the instance runs SQL Server 2019 SE or an Enterprise Edition of SQL Server. | 1qaz@WSX |
| IsRotate | boolean | No | Specifies whether to replace the key. Valid values:
Default value: false NoteThis parameter is available only when the instance runs PostgreSQL. | false |
Response parameters
Examples
Sample success responses
JSONformat
{
"RequestId": "777C4593-8053-427B-99E2-105593277CAB"
}Error codes
| HTTP status code | Error code | Error message | Description |
|---|---|---|---|
| 400 | InvalidTDEstatus | Specified TDEStatus has already configed in the This instance. | - |
| 400 | MissingDBName | The request is missing a DBName parameter. | - |
| 400 | InvalidTDEstatus.Format | The Specified TDEStatus is not valid. | The status of TDE is invalid. |
| 400 | Invalid.PrivateKey | The requested privateKey parameter is invalid. | The private key in the request is invalid. |
| 400 | Invalid.Certificate | The requested certificate parameter is invalid. | The certificate in the request is invalid. |
| 400 | CertOrPrivateKeyOrPasswordNotMatched | The public certificate, private key, and password do not match. | The password of the private key in the certificate failed the verification check. |
| 400 | InvalidTDEstatus | Specified TDEStatus is not configured on the This custins. | - |
| 403 | IncorrectDBInstanceType | Current DB instance type does not support this operation. | The operation failed. The RDS instance is not in a ready state. |
| 403 | IncorrectEngineVersion | Current engine version does not support operations. | The operation failed. The operation is not supported for the version of the database engine that is run on the RDS instance. |
| 403 | IncorrectDBInstanceLockMode | Current DB instance lock mode does not support this operation. | The operation failed. The RDS instance is locked. |
| 403 | IncorrectDBInstanceState | Current DB instance state does not support this operation. | - |
| 403 | DBSizeExceeded | Exceeding the allowed DB size of DB instance. | The size of the database exceeds the maximum size that is allowed. |
| 403 | IncorrectMinorVersion | Current engine minor version does not support operations. | This operation is not supported for the current minor engine version. |
| 403 | ByokRoleArnNotFound | The roleArn can not be null. | - |
| 404 | InvalidClusterKms | this cluster not kms service. | - |
| 404 | InsufficientResourceCapacity | There is insufficient capacity available for the requested instance. | - |
| 404 | InvalidDBName.NotFound | Specified one or more DB name does not exist or DB status does not support. | The operation failed. The instance name cannot be found. |
For a list of error codes, visit the Service error codes.
Change history
| Change time | Summary of changes | Operation | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2022-11-16 | The error codes of the API operation change. | |||||||||||||
| ||||||||||||||
| 2022-11-16 | The error codes of the API operation change.,The input parameters of the API operation change. | |||||||||||||
| ||||||||||||||
| 2022-06-23 | API Description Update,The error codes of the API operation change. | |||||||||||||
|