This topic describes how to configure the disk encryption feature for an ApsaraDB RDS for MySQL instance that is equipped with standard SSDs or enhanced SSDs (ESSDs). The disk encryption feature encrypts the data on each disk of your RDS instance by using block storage. This way, your data cannot be cracked even if it is leaked.

For more information about the disk encryption feature in other database engines, see the following topics:

Prerequisites

Billing

The disk encryption feature is free of charge. You are not charged for the read and write operations that you perform on the encrypted disks.

Precautions

  • The disk encryption feature cannot be disabled after you enable it.
  • If you enable the disk encryption feature for your RDS instance, your RDS instance does not support cross-region backups. For more information, see Enable cross-region backups for an ApsaraDB RDS for MySQL instance.
  • The disk encryption feature does not interrupt your business, and you do not need to modify your application.
  • After you enable the disk encryption feature for your RDS instance, the snapshots that are created for your RDS instance are automatically encrypted. If you use the encrypted snapshots to create an RDS instance that uses standard SSDs or ESSDs, the disk encryption feature is automatically enabled for the new RDS instance.
  • If your Alibaba Cloud Key Management Service (KMS) is overdue, the standard SSDs or ESSDs of your RDS instance become unavailable. Make sure that your KMS is normal. For more information, see What is KMS?
  • If you disable or delete the customer master key (CMK) that is used for disk encryption, your RDS instance cannot run as normal. For example, you cannot create snapshots, restore data from snapshots, or rebuild the secondary RDS instance of your RDS instance.

Check whether the disk encryption feature is enabled for an RDS instance

  1. Access RDS Instances, select a region at the top, and then click the ID of the target RDS instance.
  2. In the Basic Information section, check whether the Key parameter can be found. If you can find the parameter, the disk encryption feature is enabled for the RDS instance.
    Key

Enable the disk encryption feature for an RDS instance

When you create an RDS instance, set Edition to High-availability, select the ESSD storage type, select Disk Encryption, and then configure the Key parameter. For more information, see Create an ApsaraDB RDS for MySQL instance.

Note For information about how to create a key, see Create a CMK.

Related operations

Operation Description
Create an instance Creates an ApsaraDB RDS instance.