This topic describes how to configure disk encryption for an ApsaraDB RDS for PostgreSQL instance. Disk encryption ensures the security of your data.

Background information

Disk encryption protects the data that is stored on standard SSDS or enhanced SSDs (ESSDs) and eliminates the need to modify your business or application. In addition, ApsaraDB RDS automatically applies disk encryption to both the snapshots that are generated from the encrypted standard SSDS or ESSDs and to the standard SSDs or ESSDs that are created from those snapshots.

Disk encryption is free of charge. You are not charged for the read and write operations that you perform on the encrypted standard SSDs or ESSDs.


  • A customer master key (CMK) that is used for disk encryption is created. For more information, see Procedure. You can enable disk encryption for your RDS instance only when you create the RDS instance.
  • When you create an RDS instance, the parameters that specify the edition, storage type, and instance family are specified based on the following table.
    • Edition: High-availability Edition.
    • Storage type: Standard SSD or ESSD.
    • Instance family: Dedicated instance family.


  • You cannot disable disk encryption after you enable the feature.
  • If you enable the disk encryption feature for your RDS instance, your RDS instance does not support cross-region backups. For more information, see Use the cross-region backup feature for an ApsaraDB RDS for PostgreSQL instance.
  • Disk encryption does not interrupt your business, and you do not need to modify your applications.
  • If you enable disk encryption for your RDS instance, the snapshots that are created for the instance are automatically encrypted. If you use the encrypted snapshots to create an RDS instance that uses standard SSDs or ESSDs, the disk encryption feature is automatically enabled for the new RDS instance.
  • If your Key Management Service (KMS) has overdue payments, the standard SSDs or ESSDs of your RDS instance become unavailable. Make sure that your KMS does not have overdue payments. For more information, see What is KMS?
  • If you disable or delete the CMK that is used for disk encryption, your RDS instance cannot run as normal. For example, you cannot create snapshots, restore data from snapshots, or rebuild the secondary RDS instance of your RDS instance.


  1. Log on to the KMS console.
  2. In the top navigation bar, select the region where you want to create an RDS instance.
  3. Click Create Key.
  4. Configure the following parameters.
    Parameter Description
    KMS Instance The KMS instance that you use. KMS instances can be deployed in the VPC of a tenant to allow access over private networks.

    For more information, see Overview.

    Key Spec The type of the CMK. Valid values:
    • Symmetric:
      • Aliyun_AES_256
      • Aliyun_SM4
    • Asymmetric:
      • RSA_2048
      • RSA_3072
      • EC_P256
      • EC_P256K
      • EC_SM2
    Note Aliyun_SM4 and EC_SM2 types are supported only for regions in mainland China where managed hardware security modules (HSMs) are used.
    Purpose The purpose of the CMK. Valid values:
    • Encrypt/Decrypt: encrypts or decrypts data.
    • Sign/Verify: generates or verifies a digital signature.
    Alias Name The alias of the CMK, which helps identify the CMK. Aliases are optional to CMKs.

    For more information, see Overview.

    Protection Level The protection level of the CMK. Valid values:
    • Software: The CMK is protected by using a software module.
    • Hsm: The CMK is managed in an HSM, which is dedicated to safeguard the CMK.
    Description The description of the CMK.
    Rotation Period The interval of automatic rotation. Valid values:
    • 30 Days
    • 90 Days
    • 180 Days
    • 365 Days
    • Disable: Automatic rotation is disabled.
    • Customize: You can customize an interval that ranges from 7 days to 730 days.
    Note You can specify this parameter only when you set the Key Spec parameter to Aliyun_AES_256 or Aliyun_SM4.
  5. Click OK.
  6. On the Cloud Resource Access Authorization page, click Confirm Authorization Policy. Then, the RDS instance that you created can access your cloud resources. Authorization is required only the first time you enable disk encryption.
    Note You can log on to the RAM console to check whether you have the permissions of the AliyunRDSInstanceEncryptionDefaultRole RAM role.
  7. Create an RDS instance. Select Disk Encryption when you create the instance. For more information, see Create an ApsaraDB RDS for PostgreSQL instance.
    Note After the RDS instance is created, you can go to the Basic Information page of the instance and view the CMK that is used for disk encryption.