Data encryption - ApsaraDB RDS - Alibaba Cloud Documentation Center

This topic describes the data encryption feature of ApsaraDB RDS.

SSL

ApsaraDB RDS supports Secure Sockets Layer (SSL) for MySQL, SQL Server, and PostgreSQL. ApsaraDB RDS provides a server SSL certificate for each RDS instance. You can use the server SSL certificate of your RDS instance to determine whether the database service that you access by using a specific IP address and a specific port number is provided by your RDS instance. This can help defend against man-in-the-middle attacks. ApsaraDB RDS also allows you to enable and update the server SSL certificate for your RDS instance to ensure the security and validity of each server SSL certificate.

SSL can encrypt the connection between your application and your RDS instance only after you enable server authentication for your application. SSL consumes extra CPU resources. As a result, the throughput of your RDS instance decreases, and the responses of your RDS instance slow down. The severity of the impact varies based on the number of connections that are established and the frequency of data transmission.

For more information, see Configure SSL encryption for an ApsaraDB RDS instance.

TDE

ApsaraDB RDS provides Transparent Data Encryption (TDE) for MySQL, PostgreSQL, and SQL Server. TDE for MySQL and PostgreSQL is independently developed by Alibaba Cloud. TDE for SQL Server is developed based on SQL Server Enterprise Edition.

After TDE is enabled for your RDS instance, you can specify the database or table that you want to encrypt. The data of the specified database or table is encrypted before it is written to a device, such as a disk, an SSD, or a Peripheral Component Interconnect Express (PCIe) card, or to a service, such as Object Storage Service (OSS). This way, all data files and backup files of the specified database or table are stored in ciphertext in your RDS instance.

TDE uses the Advanced Encryption Standard (AES) algorithm. The key for TDE is encrypted and stored by Key Management Service (KMS). Your RDS instance reads the key only once when you start or migrate the instance. You can replace the key in the KMS console.

For more information, see Configure TDE encryption for an ApsaraDB RDS instance.

Disk encryption

ApsaraDB RDS provides the disk encryption feature for free for RDS instances that use standard SSDs or enhanced SSDs (ESSDs). After this feature is enabled for your RDS instance, this feature encrypts all data on the disk based on block storage. This way, your data cannot be deciphered even if it is leaked. This feature does not interrupt your workloads. You can use this feature without the need to modify your application.

For more information, see Configure the disk encryption feature for an ApsaraDB RDS for MySQL instance.

Fully encrypted database

The fully encrypted database feature is provided by ApsaraDB RDS for PostgreSQL to ensure data security. If you enable and use the fully encrypted database feature for an ApsaraDB RDS for PostgreSQL instance, you can encrypt sensitive data columns in tables. This way, the sensitive data is transmitted, computed, and stored in ciphertext.

The fully encrypted database feature encrypts data on the client side before the data is uploaded to an RDS instance. This ensures that internal roles, such as cloud platform software and database administrators, cannot access the data in plaintext. The fully encrypted database feature is compatible with all other features of ApsaraDB RDS for PostgreSQL.