Configure TDE - ApsaraDB RDS - Alibaba Cloud Documentation Center

We recommend that you use the Transparent Data Encryption (TDE) feature for your ApsaraDB RDS for SQL Server instance in scenarios such as security compliance or data-at-rest encryption. This topic describes how to use TDE to perform real-time I/O encryption and decryption on data files and ensure that sensitive data is encrypted before it is written to a disk and is decrypted when it is read from a disk to the memory. This prevents attackers from bypassing databases to read sensitive information from storage and improves the security of sensitive data in databases. After TDE is enabled for your RDS instance, the size of data files in the instance does not increase. You can use TDE without the need to modify the configurations of your application.

Prerequisites

The RDS instance runs one of the following database engine versions:

SQL Server 2019 SE, SQL Server 2022 SE, and SQL Server EE
The RDS instance belongs to the general-purpose or dedicated instance family. The shared instance family is not supported.

Note

Read-only RDS instances do not support this feature.
If you want to use Bring Your Own Keys (BYOKs), obtain the certificate, private key, and password that are used for encryption and decryption in advance.

Usage notes

You cannot disable TDE after it is enabled for an RDS instance. You can enable or disable TDE for a database based on your business requirements.
If you use a service key that is provided by Alibaba Cloud for an RDS instance and enable TDE for the RDS instance, you must disable TDE for the RDS instance before you restore the data of the RDS instance to a self-managed database. For more information, see Disable TDE.
Note
After you disable TDE, some transaction logs are still encrypted. The backup files that are downloaded cannot be used to restore the data of the RDS instance. In this case, wait until three log backups and one full backup are complete on the RDS instance. Then, download the most recent full backup file that is generated. This full backup file contains the decrypted data of the RDS instance. For more information, see Database Encryption in SQL Server 2008 Enterprise Edition. For more information about how to configure a backup policy, see Back up an ApsaraDB RDS for SQL Server instance.
After you enable TDE for an RDS instance, the CPU utilization of the RDS instance significantly increases.

Limits

If TDE is enabled for your RDS instance, you cannot upgrade the major engine version, upgrade the RDS instance with local disks from SQL Server 2008 R2 to SQL Server 2012 or SQL Server 2016, update the minor engine version, or migrate the RDS instance across zones. For more information, see Upgrade the major engine version, Upgrade the RDS instance with local disks from SQL Server 2008 R2 to SQL Server 2012 or SQL Server 2016, Update the minor engine version, and Migrate an ApsaraDB RDS for SQL Server instance across zones.
If TDE is enabled for your RDS instance, you cannot use the backup files of the RDS instance to rebuild the RDS instance. For more information, see Rebuild an RDS instance and Methods to back up an ApsaraDB RDS for SQL Server instance.

Enable TDE

Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.
In the left-side navigation pane, click Data Security.
On the TDE tab, turn on the switch next to Disabled.
Note
You can enable TDE only when your RDS instance meets all of the conditions specified in the "Prerequisites" section.

In the dialog box that appears, select a key type and click OK.

Use the key automatically generated by Alibaba Cloud

Select databases from the Unselected Databases section, click the icon to move the selected databases to the Selected Databases section, and then click Confirm. TDE设置

Encrypt with own SQL Server key

Upload the certificate file and the private key file to your OSS bucket. For more information, see Upload objects.

Click Next step and configure the following parameters. 选择自带密钥

Parameter	Description
OSS Bucket	The OSS bucket in which the certificate file and the private key file are stored.
Certificate	The certificate file that you uploaded to the OSS bucket.
Private key	The private key file that you uploaded to the OSS bucket.
Password	The password of your own SQL Server key.

Click Next step to go to the Authorization database step.
Select databases from the Unselected Databases section, click the icon to move the selected databases to the Selected Databases section, and then click Confirm.

Disable TDE

After TDE is enabled for an RDS instance, TDE cannot be disabled. To disable TDE for a database, you can remove the database from the Selected Databases section.

Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.
In the left-side navigation pane, click Data Security.
Click the TDE tab. Then, click TDE Settings.
Select databases from the Selected Databases section, click the icon to move the selected databases to the Unselected Databases section, and then click OK.

Note

After you disable TDE, some transaction logs are still encrypted. The backup files that are downloaded cannot be used to restore the data of the RDS instance. In this case, wait until three log backups and one full backup are complete on the RDS instance. Then, download the most recent full backup file that is generated. This full backup file contains the decrypted data of the RDS instance. For more information, see Database Encryption in SQL Server 2008 Enterprise Edition. For more information about how to configure a backup policy, see Back up an ApsaraDB RDS for SQL Server instance.

References

For more information about how to enable TDE by calling an API operation, see ModifyDBInstanceTDE.
For more information about how to encrypt the connections to an RDS instance by using SSL encryption, see Configure the SSL encryption feature.