You can call the ModifyDBInstanceTDE operation to enable Transparent Data Encryption (TDE) for an ApsaraDB RDS instance.
TDE can perform real-time I/O encryption and decryption on data files. TDE encrypts data before the data is written to a disk, and decrypts data before the data is read from a disk and written to the memory. For more information, see ~~96121~~.
Before you call this operation, make sure that the following requirements are met:
- Key Management Service (KMS) must be activated. If KMS is not activated, you can activate KMS when you enable TDE.
- The instance must run one of the following database engine versions and RDS editions:
- MySQL 8.0 (with a minor engine version of 20191015 or later) on RDS High-availability Edition with local SSDs
- MySQL 5.7 (with a minor engine version of 20191015 or later) on RDS High-availability Edition with local SSDs
- MySQL 5.6
- SQL Server 2019 SE or an Enterprise Edition of SQL Server
Debugging
Request parameters
| Parameter | Type | Required | Example | Description |
|---|---|---|---|---|
| Action | String | Yes | ModifyDBInstanceTDE |
The operation that you want to perform. Set the value to ModifyDBInstanceTDE. |
| DBInstanceId | String | Yes | rm-uf6wjk5**** |
The ID of the instance. You can call the DescribeDBInstances operation to query the IDs of instances. |
| TDEStatus | String | Yes | Enabled |
Specifies whether to enable TDE. Valid values:
|
| DBName | String | No | testDB |
The name of the database for which you want to enable TDE. You can specify up to 50 database names in a single request. If you specify multiple database names, separate the database names with commas (,). Note This parameter is available and must be specified only when the instance runs SQL
Server 2019 SE or an Enterprise Edition of SQL Server.
|
| EncryptionKey | String | No | 749c1df7-****-****-****-**** |
The ID of the custom key. Note This parameter is available only when the instance runs MySQL.
|
| RoleArn | String | No | acs:ram::1406926****:role/aliyunrdsinstanceencryptiondefaultrole |
The Alibaba Cloud Resource Name (ARN) of the RAM role. A RAM role is a virtual identity that you can create within your Alibaba Cloud account. For more information, see RAM role overview. Note This parameter is available only when the instance runs MySQL.
|
| Certificate | String | No | oss-ap-southeast-1.aliyuncs.com:****:key.cer |
The file that contains the certificate. Format:
|
| PrivateKey | String | No | oss-ap-southeast-1.aliyuncs.com:****:key.pvk |
The file that contains the private key of the certificate. Format:
|
| PassWord | String | No | 1qaz@WSX |
The password of the certificate. Note This parameter is available only when the instance runs SQL Server 2019 SE or an Enterprise
Edition of SQL Server.
|
Response parameters
| Parameter | Type | Example | Description |
|---|---|---|---|
| RequestId | String | 777C4593-8053-427B-99E2-105593277CAB |
The ID of the request. |
Examples
Sample requests
http(s)://rds.aliyuncs.com/?Action=ModifyDBInstanceTDE
&DBInstanceId=rm-uf6wjk5****
&TDEStatus=Enabled
&<Common request parameters>Sample success responses
XML format
HTTP/1.1 200 OK
Content-Type:application/xml
<ModifyDBInstanceTDEResponse>
<RequestId>777C4593-8053-427B-99E2-105593277CAB</RequestId>
</ModifyDBInstanceTDEResponse>JSON format
HTTP/1.1 200 OK
Content-Type:application/json
{
"ModifyDBInstanceTDEResponse" : {
"RequestId" : "777C4593-8053-427B-99E2-105593277CAB"
}
}Error codes
| HTTP status code | Error code | Error message | Description |
|---|---|---|---|
| 400 | InvalidTDEstatus.Format | The Specified TDEStatus is not valid. | The error message returned because the value of the TDEStatus parameter is invalid. |
| 400 | Invalid.PrivateKey | The requested privateKey parameter is invalid. | The error message returned because the value of the PrivateKey parameter is invalid. |
| 400 | Invalid.Certificate | The requested certificate parameter is invalid. | The error message returned because the value of the Certificate parameter is invalid. |
| 400 | CertOrPrivateKeyOrPasswordNotMatched | The public certificate, private key, and password do not match. | The error message returned because the certificate, private key, and password do not match. |
| 403 | IncorrectDBInstanceType | Current DB instance type does not support this operation. | The error message returned because this operation is not supported while the instance is in the current state. |
| 403 | IncorrectEngineVersion | Current engine version does not support operations. | The error message returned because this operation is not supported for the database engine version that is run on the instance. |
| 403 | IncorrectDBInstanceLockMode | Current DB instance lock mode does not support this operation. | The error message returned because the instance is locked. |
| 403 | IncorrectDBInstanceState | Current DB instance state does not support this operation. | The error message returned because this operation is not supported while the instance is in the current state. |
| 403 | DBSizeExceeded | Exceeding the allowed DB size of DB instance. | The error message returned because the size of the specified database exceeds the specified limit. |
| 404 | InvalidClusterKms | this cluster not kms service. | The error message returned because KMS is not activated. |
| 404 | InvalidDBName.NotFound | Specified one or more DB name does not exist or DB status does not support. | The error message returned because the name of the instance cannot be found. |
For a list of error codes, visit the API Error Center.