ApsaraDB for Redis provides Transparent Data Encryption (TDE), which can be used to encrypt and decrypt Redis Database (RDB) files. You can enable TDE in the ApsaraDB for Redis console to allow the system to encrypt and decrypt RDB files. This improves data security and compliance.

Prerequisites

  • The instance is a performance-enhanced instance of the ApsaraDB for Redis Enhanced Edition (Tair). For more information about performance-enhanced instances, see Performance-enhanced instances.
  • The minor version of the instance is 1.7.1 or later. For more information about how to view and update the minor version, see Update the minor version.

Background information

TDE encrypts RDB files before they are written to disks and decrypts RDB files when they are read to the memory from disks. TDE does not increase the sizes of RDB files. When you use TDE, you do not need to modify your client.

Impacts

You cannot disable TDE after it is enabled. You must evaluate the impacts on your business before you enable TDE. Take note of the following impacts:

  • After TDE is enabled for an instance, the instance cannot be migrated across zones. For more information, see Migrate an instance across zones.
  • After TDE is enabled for an instance, the offline key analysis feature is not supported for the instance. For more information, see Offline key analysis.
  • After TDE is enabled for an instance, the instance cannot be converted into a child instance of a distributed instance. For more information, see Create a distributed instance.
  • After TDE is enabled for an instance, instance data cannot be migrated or synchronized by using Data Transmission Service (DTS) or redis-shake. For more information about redis-shake and DTS, see RedisShake and What is DTS?

Precautions

  • TDE can be enabled for an instance but not for a key or a database.
  • TDE encrypts RDB files that are written to disks, such as dump.rdb.
  • Key Management Service (KMS) generates and manages the keys used by TDE. For more information about KMS, see What is Key Management Service? ApsaraDB for Redis does not provide keys or certificates required for encryption.

Procedure

  1. Log on to the ApsaraDB for Redis console and go to the Instances page. In the top navigation bar, select the region in which the instance is deployed. Then, find the instance and click the instance ID.
  2. In the left-side navigation pane, click TDE Settings.
  3. Turn on the switch next to TDE Status to enable TDE.
    Note If an earlier minor version is used, the switch is dimmed. For more information about how to view and update the minor version, see Update the minor version.
  4. In the dialog box that appears, select Use Automatically Generated Key or Use Custom Key and then click OK.
    Figure 1. Select key type for enabling TDE
    Select key type for enabling TDE
    Note
    • The first time you enable TDE for an instance within your Alibaba Cloud account, follow the instructions on the page to authorize the AliyunRdsInstanceEncryptionDefaultRole role. KMS can be used only after the authorization is complete.
    • For more information about how to create a custom key, see Create a CMK.
    When the instance state changes from Modifying TDE to Running, the configurations are complete.

Related API operations

Operation Description
ModifyInstanceTDE Enables TDE for an ApsaraDB for Redis instance. You can use automatically generated keys or existing custom keys.
DescribeInstanceTDEStatus Queries whether TDE is enabled for an ApsaraDB for Redis instance.
DescribeEncryptionKeyList Queries the custom keys that are available for an ApsaraDB for Redis instance to use TDE.
DescribeEncryptionKey Queries the details of a custom key for an ApsaraDB for Redis instance to use TDE.
CheckCloudResourceAuthorized Queries whether an ApsaraDB for Redis instance has the permissions to use KMS.

FAQ

  • Q: How do I decrypt an encrypted RDB file?

    A: RDB files cannot be decrypted. You can restore the file to a new instance. After the restoration is complete, the data is automatically decrypted.

  • Q: Why is the data read by clients still displayed in plaintext?

    A: Only RDB files written to disks are encrypted. The data read by clients is read from memory and is not encrypted. That is why it is displayed in plaintext.