This topic describes how to configure disk encryption for an ApsaraDB RDS for PostgreSQL instance. Disk encryption ensures the security of your data.

Background information

Disk encryption protects the data that is stored on standard SSDS or enhanced SSDs (ESSDs) and eliminates the need to modify your business or application. In addition, ApsaraDB RDS automatically applies disk encryption to both the snapshots that are generated from the encrypted standard SSDS or ESSDs and to the standard SSDs or ESSDs that are created from those snapshots.

Disk encryption is free of charge. You are not charged for the read and write operations that you perform on the encrypted standard SSDs or ESSDs.


  • A customer master key (CMK) that is used for disk encryption is created. For more information, see Procedure. You can enable disk encryption for your RDS instance only when you create the RDS instance.
  • When you create an RDS instance, the parameters that specify the edition, storage type, and instance family are specified based on the following table.
    • Edition: High-availability Edition.
    • Storage type: Standard SSD or ESSD.
    • Instance family: Dedicated instance family.


  • You cannot disable disk encryption after you enable the feature.
  • If you enable the disk encryption feature for your RDS instance, your RDS instance does not support cross-region backups. For more information, see Use the cross-region backup feature for an ApsaraDB RDS for PostgreSQL instance.
  • Disk encryption does not interrupt your business, and you do not need to modify your applications.
  • If you enable disk encryption for your RDS instance, the snapshots that are created for the instance are automatically encrypted. If you use the encrypted snapshots to create an RDS instance that uses standard SSDs or ESSDs, the disk encryption feature is automatically enabled for the new RDS instance.
  • If your Key Management Service (KMS) has overdue payments, the standard SSDs or ESSDs of your RDS instance become unavailable. Make sure that your KMS does not have overdue payments. For more information, see What is KMS?
  • If you disable or delete the CMK that is used for disk encryption, your RDS instance cannot run as normal. For example, you cannot create snapshots, restore data from snapshots, or rebuild the secondary RDS instance of your RDS instance.


  1. Log on to the KMS console.
  2. In the top navigation bar, select the region where you want to create an RDS instance.
  3. Click Create Key.
  4. Configure the following parameters.
    KMS InstanceThe KMS instance that you use.
    Key SpecThe type of the CMK. Valid values:
    • Types of symmetric keys
      • Aliyun_AES_256
      • Aliyun_SM4
    • Types of asymmetric keys
      • RSA_2048
      • RSA_3072
      • EC_P256
      • EC_P256K
      • EC_SM2
    • Aliyun_SM4 and EC_SM2 types are supported only for regions in the Chinese mainland in which managed hardware security modules (HSMs) are used.
    • RSA_3072 is supported only by a dedicated KMS instance.
    PurposeThe purpose of the CMK. Valid values:
    • Encrypt/Decrypt: encrypts or decrypts data.
    • Sign/Verify: generates or verifies a digital signature.
    Alias NameThe alias of the CMK, which helps identify the CMK. Aliases are optional to CMKs.

    For more information, see Overview.

    Protection LevelValid values:
    • Software: The CMK is protected by using a software module.
    • Hsm: The CMK is managed in an HSM, and the HSM safeguards the CMK.
    DescriptionThe description of the CMK.
    Rotation PeriodThe interval of automatic rotation of symmetric keys. Valid values:
    • 30 Days.
    • 90 Days.
    • 180 Days.
    • 365 Days.
    • Disable: Automatic rotation is disabled.
    • Customize: You can customize an interval that ranges from 7 days to 730 days.
    Note You can configure this parameter only if you set the Key Spec parameter to Aliyun_AES_256 or Aliyun_SM4.
  5. Click OK.
  6. On the Cloud Resource Access Authorization page, click Confirm Authorization Policy. Then, the RDS instance that you created can access your cloud resources. Authorization is required only the first time you enable disk encryption.
    Note You can log on to the RAM console to check whether you have the permissions of the AliyunRDSInstanceEncryptionDefaultRole RAM role.
  7. Create an RDS instance. Select Disk Encryption when you create the instance. For more information, see Create an ApsaraDB RDS for PostgreSQL instance.
    Note After the RDS instance is created, you can go to the Basic Information page of the instance and view the CMK that is used for disk encryption.