ApsaraDB RDS:Configure disk encryption for an ApsaraDB RDS for PostgreSQL instance

Prerequisites

• A customer master key (CMK) that is used for disk encryption is created. For more information, see Procedure. You can enable disk encryption for your RDS instance only when you create the RDS instance.
• When you create an RDS instance, the parameters that specify the edition, storage type, and instance family are specified based on the following table.
  • Edition: High-availability Edition.
  • Storage type: Standard SSD or ESSD.
  • Instance family: Dedicated instance family.

Precautions

• You cannot disable disk encryption after you enable the feature.
• If you enable the disk encryption feature for your RDS instance, your RDS instance does not support cross-region backups. For more information, see Use the cross-region backup feature for an ApsaraDB RDS for PostgreSQL instance.
• Disk encryption does not interrupt your business, and you do not need to modify your applications.
• If you enable disk encryption for your RDS instance, the snapshots that are created for the instance are automatically encrypted. If you use the encrypted snapshots to create an RDS instance that uses standard SSDs or ESSDs, the disk encryption feature is automatically enabled for the new RDS instance.
• If your Key Management Service (KMS) has overdue payments, the standard SSDs or ESSDs of your RDS instance become unavailable. Make sure that your KMS does not have overdue payments. For more information, see What is KMS?
• If you disable or delete the CMK that is used for disk encryption, your RDS instance cannot run as normal. For example, you cannot create snapshots, restore data from snapshots, or rebuild the secondary RDS instance of your RDS instance.

Procedure

1. Log on to the KMS console.
2. In the top navigation bar, select the region where you want to create an RDS instance.
3. Click Create Key.
4. Configure the following parameters.

   Parameter	Description
   KMS Instance	The KMS instance that you use.
   Key Spec	The type of the CMK. Valid values: Types of symmetric keys Aliyun_AES_256 Aliyun_SM4 Types of asymmetric keys RSA_2048 RSA_3072 EC_P256 EC_P256K EC_SM2 Note Aliyun_SM4 and EC_SM2 types are supported only for regions in the Chinese mainland in which managed hardware security modules (HSMs) are used. RSA_3072 is supported only by a dedicated KMS instance.
   Purpose	The purpose of the CMK. Valid values: Encrypt/Decrypt: encrypts or decrypts data. Sign/Verify: generates or verifies a digital signature.
   Alias Name	The alias of the CMK, which helps identify the CMK. Aliases are optional to CMKs. For more information, see Overview.
   Protection Level	Valid values: Software: The CMK is protected by using a software module. Hsm: The CMK is managed in an HSM, and the HSM safeguards the CMK.
   Description	The description of the CMK.
   Rotation Period	The interval of automatic rotation of symmetric keys. Valid values: 30 Days. 90 Days. 180 Days. 365 Days. Disable: Automatic rotation is disabled. Customize: You can customize an interval that ranges from 7 days to 730 days. Note You can configure this parameter only if you set the Key Spec parameter to Aliyun_AES_256 or Aliyun_SM4.

5. Click OK.
6. On the Cloud Resource Access Authorization page, click Confirm Authorization Policy. Then, the RDS instance that you created can access your cloud resources. Authorization is required only the first time you enable disk encryption.
   Note You can log on to the RAM console to check whether you have the permissions of the AliyunRDSInstanceEncryptionDefaultRole RAM role.
7. Create an RDS instance. Select Disk Encryption when you create the instance. For more information, see Create an ApsaraDB RDS for PostgreSQL instance.
   Note After the RDS instance is created, you can go to the Basic Information page of the instance and view the CMK that is used for disk encryption.