You can call the ModifyDBInstanceTDE operation to enable Transparent Data Encryption (TDE) for an ApsaraDB RDS instance.

TDE can perform real-time I/O encryption and decryption on data files. TDE encrypts data before the data is written to a disk, and decrypts data before the data is read from a disk and written to the memory. For more information, see ~~96121~~.

Before you call this operation, make sure that the following requirements are met:

  • Key Management Service (KMS) must be activated. If KMS is not activated, you can activate KMS when you enable TDE.
  • The instance must run one of the following database engine versions and RDS editions:
    • MySQL 8.0 (with a minor engine version of 20191015 or later) on RDS High-availability Edition with local SSDs
    • MySQL 5.7 (with a minor engine version of 20191015 or later) on RDS High-availability Edition with local SSDs
    • MySQL 5.6
    • SQL Server 2019 SE or an Enterprise Edition of SQL Server

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer. OpenAPI Explorer dynamically generates the sample code of the operation for different SDKs.

Request parameters

Parameter Type Required Example Description
Action String Yes ModifyDBInstanceTDE

The operation that you want to perform. Set the value to ModifyDBInstanceTDE.

DBInstanceId String Yes rm-uf6wjk5****

The ID of the instance. You can call the DescribeDBInstances operation to query the IDs of instances.

TDEStatus String Yes Enabled

Specifies whether to enable TDE. Valid values:

  • Enabled
  • Disabled
DBName String No testDB

The name of the database for which you want to enable TDE. You can specify up to 50 database names in a single request. If you specify multiple database names, separate the database names with commas (,).

Note This parameter is available and must be specified only when the instance runs SQL Server 2019 SE or an Enterprise Edition of SQL Server.
EncryptionKey String No 749c1df7-****-****-****-****

The ID of the custom key.

Note This parameter is available only when the instance runs MySQL.
RoleArn String No acs:ram::1406926****:role/aliyunrdsinstanceencryptiondefaultrole

The Alibaba Cloud Resource Name (ARN) of the RAM role. A RAM role is a virtual identity that you can create within your Alibaba Cloud account. For more information, see RAM role overview.

Note This parameter is available only when the instance runs MySQL.
Certificate String No oss-ap-southeast-1.aliyuncs.com:****:key.cer

The file that contains the certificate.

Format:

  • Public endpoint: oss-<The ID of the region>.aliyuncs.com:<The name of the bucket>:<The name of the certificate file> (The file name contains the extension.)
  • Internal endpoint: oss-<The ID of the region>-internal.aliyuncs.com:<The name of the bucket>:<The name of the certificate file> (The file name contains the extension.)
    Note
    • This parameter is available only when the instance runs SQL Server 2019 SE or an Enterprise Edition of SQL Server.
    • You can call the DescribeRegions operation to query the most recent region list.
PrivateKey String No oss-ap-southeast-1.aliyuncs.com:****:key.pvk

The file that contains the private key of the certificate.

Format:

  • Public endpoint: oss-<The ID of the region>.aliyuncs.com:<The name of the bucket>:<The name of the file that contains the private key> (The file name contains the extension.)
  • Internal endpoint: oss-<The ID of the region>-internal.aliyuncs.com:<The name of the bucket>:<The name of the file that contains the private key> (The file name contains the extension.)
    Note
    • This parameter is available only when the instance runs SQL Server 2019 SE or an Enterprise Edition of SQL Server.
    • You can call the DescribeRegions operation to query the most recent region list.
PassWord String No 1qaz@WSX

The password of the certificate.

Note This parameter is available only when the instance runs SQL Server 2019 SE or an Enterprise Edition of SQL Server.

Response parameters

Parameter Type Example Description
RequestId String 777C4593-8053-427B-99E2-105593277CAB

The ID of the request.

Examples

Sample requests

http(s)://rds.aliyuncs.com/?Action=ModifyDBInstanceTDE
&DBInstanceId=rm-uf6wjk5****
&TDEStatus=Enabled
&<Common request parameters>

Sample success responses

XML format

HTTP/1.1 200 OK
Content-Type:application/xml

<ModifyDBInstanceTDEResponse>
    <RequestId>777C4593-8053-427B-99E2-105593277CAB</RequestId>
</ModifyDBInstanceTDEResponse>

JSON format

HTTP/1.1 200 OK
Content-Type:application/json

{
  "ModifyDBInstanceTDEResponse" : {
    "RequestId" : "777C4593-8053-427B-99E2-105593277CAB"
  }
}

Error codes

HTTP status code Error code Error message Description
400 InvalidTDEstatus.Format The Specified TDEStatus is not valid. The error message returned because the value of the TDEStatus parameter is invalid.
400 Invalid.PrivateKey The requested privateKey parameter is invalid. The error message returned because the value of the PrivateKey parameter is invalid.
400 Invalid.Certificate The requested certificate parameter is invalid. The error message returned because the value of the Certificate parameter is invalid.
400 CertOrPrivateKeyOrPasswordNotMatched The public certificate, private key, and password do not match. The error message returned because the certificate, private key, and password do not match.
403 IncorrectDBInstanceType Current DB instance type does not support this operation. The error message returned because this operation is not supported while the instance is in the current state.
403 IncorrectEngineVersion Current engine version does not support operations. The error message returned because this operation is not supported for the database engine version that is run on the instance.
403 IncorrectDBInstanceLockMode Current DB instance lock mode does not support this operation. The error message returned because the instance is locked.
403 IncorrectDBInstanceState Current DB instance state does not support this operation. The error message returned because this operation is not supported while the instance is in the current state.
403 DBSizeExceeded Exceeding the allowed DB size of DB instance. The error message returned because the size of the specified database exceeds the specified limit.
404 InvalidClusterKms this cluster not kms service. The error message returned because KMS is not activated.
404 InvalidDBName.NotFound Specified one or more DB name does not exist or DB status does not support. The error message returned because the name of the instance cannot be found.

For a list of error codes, visit the API Error Center.