This topic describes how to configure Transparent Data Encryption (TDE) for an ApsaraDB RDS for SQL Server instance. TDE can perform real-time I/O encryption and decryption on data files. Data is encrypted before it is written to a disk and is decrypted when it is read from a disk and written to the memory. After TDE is enabled for your RDS instance, the size of data files in the instance does not increase. You can use TDE without the need to modify the configurations of your application.

Prerequisites

  • The RDS instance must run one of the following database engine versions:
    • SQL Server 2019 SE
    • SQL Server EE
  • Your RDS instance belongs to the general-purpose instance family or the dedicated instance family.
  • Your RDS instance is not a read-only instance. For more information, see Create a read-only ApsaraDB RDS for SQL Server instance.
  • If you want to use Bring Your Own Keys (BYOKs), the certificate, private key, and password that are used for encryption and decryption are obtained.

Usage notes

  • TDE cannot be disabled after it is enabled for an RDS instance. TDE can be enabled or disabled for a database based on your business requirements.
  • If you use Key Management Service (KMS) to generate a key after you enable TDE for an RDS instance, you must disable TDE for the RDS instance before you restore the data of the RDS instance to a self-managed database. For more information, see Disable TDE.
    Note After you disable TDE, some transaction logs are still encrypted. The backup files that are downloaded cannot be used to restore the data of the RDS instance. In this case, wait until three log backups and one full backup are complete on the RDS instance. Then, download the most recent full backup file that is generated. This full backup file contains the decrypted data of the RDS instance. For more information, see Database Encryption in SQL Server 2008 Enterprise Edition. For more information about how to configure a backup policy, see Back up an ApsaraDB RDS for SQL Server instance.
  • After you enable TDE for an RDS instance, the CPU utilization of the RDS instance significantly increases.

Enable TDE

  1. Access RDS Instances, select a region at the top, and then click the ID of the target RDS instance.
  2. In the left-side navigation pane, click Data Security.
  3. On the TDE tab, turn on the switch next to TDE Status.
    Note You can enable TDE only when the RDS instance meets the requirements that are described in the "Prerequisites" section of this topic.
  4. Select a key.
    Select a key
    • If you select Use a key automatically generated by Alibaba Cloud, perform the following operations:
      In the TDE Settings dialog box, select databases from the Unselected Databases section, click the icon to move the selected databases to the Selected Databases section, and then click OK. TDE Settings
    • If you select Encrypt with own SQL Server key, perform the following operations:
      1. Upload the certificate file and the private key file to your OSS bucket. For more information, see Upload objects. Upload the certificate file and the private key file to your OSS bucket
      2. Click Next step and configure the following parameters. Encrypt with own SQL Server key
        Parameter Description
        OSS Bucket The OSS bucket in which the certificate file and the private key file are stored.
        Certificate The certificate file that you uploaded to the OSS bucket.
        Private key The private key file that you uploaded to the OSS bucket.
        Password The password of your own SQL Server key.
      3. Click Next step to go to the Authorization database step.
        Select databases from the Unselected Databases section, click the icon to move the selected databases to the Selected Databases section, and then click Confirm. Authorization database

Disable TDE

After TDE is enabled for an RDS instance, TDE cannot be disabled. To disable TDE for a database, you can remove the database from the Selected Databases section.

  1. Access RDS Instances, select a region at the top, and then click the ID of the target RDS instance.
  2. In the left-side navigation pane, click Data Security.
  3. Click the TDE tab. Then, click TDE Settings.
  4. Select databases from the Selected Databases section, click the Icon icon to move the selected databases to the Unselected Databases section, and then click OK.
Note After you disable TDE, some transaction logs are still encrypted. The backup files that are downloaded cannot be used to restore the data of the RDS instance. In this case, wait until three log backups and one full backup are complete on the RDS instance. Then, download the most recent full backup file that is generated. This full backup file contains the decrypted data of the RDS instance. For more information, see Database Encryption in SQL Server 2008 Enterprise Edition. For more information about how to configure a backup policy, see Back up an ApsaraDB RDS for SQL Server instance.