To improve the security of your data at rest, you can enable disk encryption (free of charge). This ensures that your data remains unreadable even if the storage disks or data backups are compromised. Enabling disk encryption requires no changes to your application code, has a negligible impact on instance performance, and all snapshot backups automatically inherit this encryption.
Disk encryption overview
How it works
Disk encryption uses the industry-standard AES-256 algorithm to encrypt the entire data disk. When enabled, this feature automatically encrypts data before writing it to the disk, storing it as ciphertext. This enhances data security by rendering the data unreadable if the storage disks or data backups are compromised. When an authorized user reads data, the disk automatically decrypts it. The entire process is transparent to your applications and requires no changes to your application code. For more information, see Encrypted disks.
Encryption keys
Key Management Service (KMS) provides the keys required for disk encryption. You can use various types of KMS keys to encrypt your disks, including default keys (service keys and Customer Master Keys), software-protected keys, and hardware-protected keys. The following table describes the differences between these key types.
Key type | Encryption algorithm | Cost | Creator | Key material source | Description | |
Default key | service key | AES_256 | Free | Created and managed by the cloud service on your behalf. | Cannot be deleted or disabled. Each user can have only one service key dedicated to RDS in the same region. | |
Customer Master Key (CMK) | User | Generated by KMS or imported by the user. | You can control its lifecycle. Each user can have only one CMK per region. | |||
Software-protected keys and hardware-protected keys | Charged | User | Generated by KMS or imported by the user. | You can manage their lifecycles and create multiple keys. | ||
If your business does not require key isolation between instances and you want to reduce costs, you can use a default key (a service key or a Customer Master Key). These key types are free of charge but have quantity limits. Each user can have only one Customer Master Key and one service key dedicated to RDS in the same region.
If you need to use different keys to encrypt different RDS instances or require more features such as credential management and digital signatures, you can purchase a software or hardware key instance and create the corresponding keys. For more information, see Select a KMS instance type.
Applicability
You cannot manually enable disk encryption for an ApsaraDB RDS for MySQL read-only instance.
To enable disk encryption for a primary ApsaraDB RDS for MySQL instance, you must meet the following conditions:
The storage type is ESSD or standard SSD.
The primary instance has no attached read-only instances. If read-only instances are attached, you must first release them before you can enable disk encryption. After disk encryption is enabled, any new read-only instances created for this primary instance will use encrypted disks by default.
You have authorized ApsaraDB RDS to access Key Management Service (KMS).
Billing
The disk encryption feature is free of charge. You are not charged additional fees for any disk read or write operations.
The encryption keys are managed by KMS. Default keys (service keys and Customer Master Keys) are free. KMS charges for the use of software-protected keys and hardware-protected keys.
Precautions
Disk encryption cannot be disabled after it is enabled.
Service interruption: Enabling disk encryption for an existing instance or changing the encryption key causes a brief service interruption of about 30 seconds. Make sure that your application has an automatic reconnection mechanism.
Backup and recovery: After disk encryption is enabled, the instance does not support point-in-time backup or allow you to download backup files. Snapshot backups generated from the instance and instances created from those snapshot backups automatically inherit the encryption attribute.
Key limitations: The available instance types constrain which KMS keys you can use. Overdue payments for KMS, or disabling or deleting a key, can affect instances for which disk encryption is enabled.
Key selection constraints: An instance of a general-purpose instance type supports only the service key. An instance of a dedicated instance type can use the service key or other types of user-defined keys.
Impact of overdue KMS payments: If you use a paid key type, such as a software-protected key or a hardware-protected key, an overdue payment for your KMS instance prevents disk decryption and renders the RDS instance unavailable. Make sure that you renew your KMS instance on time.
Impact of disabling or deleting a key: For keys whose lifecycles you can manage, such as a Customer Master Key (CMK), a software-protected key, or a hardware-protected key, disabling or deleting the key will lock the associated RDS instance. The instance becomes inaccessible and stops functioning. All O&M operations, such as backups, configuration changes, restarts, and HA switchovers, will fail.
Enable disk encryption
For new instances
Go to the ApsaraDB RDS for MySQL buy page and click the Standard Creation tab in the upper-left corner.
In the Storage Type section, select a disk storage type, and then select the Cloud Disk Encryption checkbox on the right.
Select a key.
To use a service key (free of charge), select Default Service CMK. You can select this option regardless of whether a service key exists in the current region.
To use a Customer Master Key (free of charge), software-protected key (charged), or hardware-protected key (charged), select the key from the drop-down list if it already exists. If the key does not exist, click Create Now to create a key in the KMS console.
NoteIf you do not have a service key in the current region, selecting Default Service CMK automatically creates a service key with the alias alias/acs/rds.
If a service key already exists, selecting Default Service CMK does not create a new one. Instead, the existing service key with the alias alias/acs/rds is used for encryption by default. Each Alibaba Cloud service has only one service key in a region.
Configure other parameters based on your business requirements. After you complete the payment, go to the Instances page, click the ID of the target instance, and confirm that the key information appears in the Basic Information section. This indicates that disk encryption is enabled.
For existing instances
Enabling disk encryption for an existing instance causes a brief service interruption of about 30 seconds. Make sure that your application has an automatic reconnection mechanism.
Go to the Instances page. In the top navigation bar, select the region where the instance resides. Then, click the ID of the instance.
In the left-side navigation pane, click Data Security.
Click the Data Encryption tab, and then click Enable Disk Encryption.
In the dialog box that appears, select a key and click OK. The status of the instance immediately changes to Modifying Parameters.
Wait for the process to complete. When the instance status changes to Running and the encryption information is displayed on the Data Encryption tab, it indicates that disk encryption is enabled.
Change encryption key
You can change the encryption key for an ApsaraDB RDS for MySQL instance of a dedicated instance type if disk encryption is enabled. An instance of a general-purpose instance type uses only the service key, and this key cannot be changed.
Changing an encryption key causes a brief service interruption of about 30 seconds. Make sure that your application has an automatic reconnection mechanism.
Go to the Instances page. In the top navigation bar, select the region where the instance resides. Then, click the ID of the instance.
In the left-side navigation pane, click Data Security.
On the Data Encryption tab, click Change Key.
In the Change Data Disk Encryption Key dialog box, select a key and click OK.
Related topics
For a comparison of Transparent Data Encryption (TDE), disk encryption, and always-confidential databases, see Comparison of database encryption technologies.
Use disk encryption for other database engines:
Related API operation: DescribeDBInstanceEncryptionKey - query the disk encryption status and key details of an instance