This topic describes how to configure Transparent Data Encryption (TDE) for an ApsaraDB RDS for SQL Server instance. TDE can perform real-time I/O encryption and decryption on data files. Data is encrypted before it is written to a disk. Data is also decrypted when it is read from a disk and written to the memory. After TDE is enabled, the size of data files does not increase. You can use TDE without the need to modify the connected application.
Prerequisites
- Your RDS instance runs SQL Server 2019 SE or an Enterprise Edition of SQL Server.
- Your RDS instance is not a read-only instance. For more information, see Create a read-only ApsaraDB RDS for SQL Server instance.
- If you want to use Bring Your Own Keys (BYOKs), the certificate, private key, and password that are used for encryption and decryption are obtained.
Precautions
- TDE cannot be disabled after it is enabled for an RDS instance. TDE can be disabled after it is enabled for a database.
- If you use Key Management Service (KMS) to generate a key after you enable TDE on
an RDS instance, you must disable TDE for the RDS instance before you can restore
the data of the RDS instance to a self-managed database. For more information, see
the "Disable TDE" section of this topic.
Note After you disable TDE, some transaction logs are still encrypted. The backup files that are downloaded cannot be used to restore the data of the RDS instance. You can wait until three log backups and one full backup are complete on the RDS instance. Then, you can download the most recent full backup file that is generated. This full backup file contains the decrypted data of the RDS instance. For more information, see Database Encryption in SQL Server 2008 Enterprise Edition. For more information about how to configure a backup policy, see Back up an ApsaraDB RDS for SQL Server instance.
- After you enable TDE for an RDS instance, the CPU utilization of the RDS instance significantly increases.
Enable TDE
Disable TDE
After TDE is enabled for an RDS instance, TDE cannot be disabled. To disable TDE for a database, you can remove the database from the Selected Databases section.
- Visit the RDS instance list, select a region above, and click the target instance ID.
- In the left-side navigation pane, click Data Security.
- Click the TDE tab in the upper section of the page. Then, click TDE Settings on the TDE tab.
- In the TDE Settings dialog box, select databases from the Selected Databases section, click the
icon to move the selected databases to the Unselected Databases section, and then click OK.