This topic describes how to configure Transparent Data Encryption (TDE) for an ApsaraDB RDS for MySQL instance. You can use TDE to perform real-time I/O encryption and decryption on data files. Data is encrypted before it is written to a disk and is decrypted when it is read from a disk to the memory. TDE does not increase the size of data files. Developers can use TDE without the need to modify the configurations of their applications.
Prerequisites
- Your RDS instance runs one of the following MySQL versions and RDS editions:
- MySQL 8.0 (with a minor engine version of 20191015 or later) on RDS High-availability Edition with local SSDs
- MySQL 5.7 (with a minor engine version of 20191015 or later) on RDS High-availability Edition with local SSDs
- MySQL 5.6
Note For more information about how to update the minor engine version of an ApsaraDB RDS for MySQL instance, see Update the minor engine version of an ApsaraDB RDS for MySQL instance. - Key Management Service (KMS) is activated. If KMS is not activated, you can activate KMS when you enable TDE.
Background information
Precautions
- We recommend that you update the minor engine version of your RDS instance to the latest version to ensure the stability of the instance. If read-only RDS instances are attached to your RDS instance, we recommend that you update the minor engine versions of your RDS instance and all the read-only RDS instances to the latest version. For more information, see Update the minor engine version of an ApsaraDB RDS for MySQL instance.
- When you enable TDE, your RDS instance restarts. As a result, a transient connection occurs. Proceed with caution. Before you enable TDE, we recommend that you make appropriate arrangements for your workloads based on your business requirements.
- After you enable TDE, you cannot disable TDE.
- After you enable TDE, you cannot change the key that is used for TDE.
- After you enable TDE, you must decrypt the data on your RDS instance if you want to restore the data to an on-premises database. For more information, see the "Decrypt a table" section of this topic.
- After you enable TDE, the CPU utilization of your RDS instance significantly increases.
- If you use an existing custom key for TDE, take note of the following information:
- If you disable the key, configure a plan to delete the key, or delete the key material, the key becomes unavailable.
- If your RDS instance restarts after you revoke the key, your RDS instance becomes unavailable.
- You must use an Alibaba Cloud account or an account to which the AliyunSTSAssumeRoleAccess policy is attached.
Note For more information about keys, see What is Key Management Service?
Use an automatically generated key
Use an existing custom key
Encrypt a table
If you want to encrypt a table on an RDS instance, you must log on to the RDS instance and execute the following statements:
- If the RDS instance runs MySQL 5.6, execute the following statement:
alter table <tablename> engine=innodb,block_format=encrypted;
- If the RDS instance runs MySQL 5.7 or MySQL 8.0, execute the following statement:
alter table <tablename> encryption='Y';
Decrypt a table
If you want to decrypt a table on an RDS instance, you must log on to the RDS instance and execute the following statements:
- If the RDS instance runs MySQL 5.6, execute the following statement:
alter table <tablename> engine=innodb,block_format=default;
- If the RDS instance runs MySQL 5.7 or MySQL 8.0, execute the following statement:
alter table <tablename> encryption='N';
FAQ
- After I enable TDE, can I use common database tools such as Navicat?
Yes, after you enable TDE, you can use common database tools such as Navicat.
- After I enable TDE, can I migrate data from my RDS instance to a different RDS instance?
Yes, after you enable TDE, you can migrate data from your RDS instance to a different RDS instance.
- After I enable TDE, why is my data still in plaintext?
After you enable TDE, your data is stored in ciphertext. However, when the data is queried, it is decrypted and then loaded in plaintext to the memory. TDE encrypts backup files to prevent data leaks. Before you restore the data of your RDS instance from an encrypted backup file to your computer, you must decrypt the file. For more information, see the "Decrypt a table" section of this topic.
References
Related operations
Operation | Description |
---|---|
Enable TDE | Enables TDE for an ApsaraDB RDS instance. |