This topic describes how to configure disk encryption for an ApsaraDB RDS for SQL Server instance that uses standard SSDs or enhanced SSDs (ESSDs). The disk encryption feature provides maximum protection for your data and relieves the need to modify business or application configurations.

Introduction

ApsaraDB RDS provides the disk encryption feature for free for RDS instances that use standard SSDs or ESSDs. After you enable this feature for your RDS instance, this feature encrypts the entire data disks of your RDS instance based on block storage. This way, your data cannot be deciphered even if it is leaked. Disk encryption does not interrupt your workloads. In addition, you do not need to modify your application configurations.

Prerequisites

  • Your RDS instance does not belong to the shared instance family. For more information, see ApsaraDB RDS instance families.
  • Your RDS instance is being created. After your RDS instance is created, you cannot enable the disk encryption feature.
  • The Standard SSD or Enhanced SSD storage type is selected when you are creating your RDS instance. For more information, see Storage types.

Billing rules

The disk encryption feature is free of charge. You are not charged for the read and write operations that you perform on the encrypted disks.

Precautions

  • The disk encryption feature cannot be disabled after it is enabled.
  • If you enable the disk encryption feature for your RDS instance, your RDS instance does not support cross-region backups. For more information, see Enable cross-region backups for an ApsaraDB RDS for SQL Server instance.
  • Disk encryption does not interrupt your workloads. In addition, you do not need to modify your application configurations.
  • If you enable the disk encryption feature for your RDS instance, the snapshots that are created for the instance are automatically encrypted. In addition, if you use the encrypted snapshots to create an RDS instance that uses standard SSDs or ESSDs, the disk encryption feature is automatically enabled for the new RDS instance.
  • If your Key Management Service (KMS) is overdue, the standard SSDs or ESSDs of your RDS instance become unavailable. Make sure that your KMS is normal. For more information, see What is KMS?
  • If you disable or delete the CMK that is used for disk encryption, your RDS instance cannot run as normal. For example, you cannot create snapshots, restore data from snapshots, or rebuild the secondary RDS instance of your RDS instance.

Procedure

When you create an RDS instance, select the Standard SSD or Enhanced SSD storage type, select the Disk Encryption option to the right of the selected storage type, and then select a key that is used for encryption. For more information, see Create an ApsaraDB RDS for SQL Server instance.

Note For information about how to create a key, see Create a CMK.