To prevent risks such as unauthorized access, data leaks, data interception, and data tampering, ApsaraMQ for RocketMQ allows you to encrypt messages during storage and transmission.
Storage encryption
Working mechanism
ApsaraMQ for RocketMQ allows you to encrypt messages on brokers. When a client sends messages to a broker, you can use the disk encryption feature of ApsaraMQ for RocketMQ to persistently store the messages. When a client subscribes to messages, ApsaraMQ for RocketMQ reads decrypted messages from the disks and returns the original messages to the client.
For more information, see Overview.
After you enable the disk encryption feature for an ApsaraMQ for RocketMQ instance, the instance can still provide stable services even though the read and write performance of the instance may be slightly degraded.
Limits
Instance versions
Only ApsaraMQ for RocketMQ 5.x instances support the disk encryption feature.
Regions
The disk encryption feature is available in the following regions: China (Hangzhou), China (Shenzhen), China (Beijing), China (Shanghai), China (Zhangjiakou), China (Qingdao), China (Hong Kong), China (Hohhot), China (Chengdu), China (Ulanqab), China (Guangzhou), Singapore, Malaysia (Kuala Lumpur), Indonesia (Jakarta), Japan (Tokyo), Philippines (Manila), South Korea (Seoul), Thailand (Bangkok), Germany (Frankfurt), US (Silicon Valley), UK (London), and US (Virginia).
Keys
Only symmetric keys whose specification is
Aliyun_AES_256orAliyun_SM4and usage isENCRYPT/DECRYPTare supported.
Billing rules
The following billing rules apply to the disk encryption feature of ApsaraMQ for RocketMQ:
ApsaraMQ for RocketMQ
You are charged only for the ApsaraMQ for RocketMQ 5.x Enterprise Platinum Edition instance.
Key Management Service (KMS)
You are charged for the KMS instance of the hardware key management or software key management type. For more information, see Billing.
Usage notes
After you enable the disk encryption feature for an ApsaraMQ for RocketMQ instance, you cannot disable the feature. The key used for encryption must be in the Available state to prevent read and write failures caused by the expiration of the KMS instance.
If you delete or disable the key that is used for disk encryption, the key becomes unavailable. This causes read and write failures of messages on the ApsaraMQ for RocketMQ instance. To prevent issues caused by key loss, we recommend that you check whether a key is used by cloud resources before you delete or disable the key.
The deletion of the
acs:rocketmq:instance-encryptiontag of a key can also cause read and write failures of messages on the ApsaraMQ for RocketMQ instance.
Take note that if keys become invalid due to operations that you perform, you are responsible for the risk that data stored on the associated cloud disks may not be restored.
Enable the disk encryption feature
You can enable the disk encryption feature for an ApsaraMQ for RocketMQ instance only when you create the instance.
The following steps show only how to enable the disk encryption feature for an ApsaraMQ for RocketMQ instance. For information about how to create an ApsaraMQ for RocketMQ instance, see Create an instance.
Set the Product Type parameter to Message Queue for Apache RocketMQ 5.0 (Subscription) or Message Queue for RocketMQ 5.0 (Pay-as-you-go) and the Primary Edition parameter to Enterprise Platinum Edition.
Set the Disk Encryption parameter to Enable and specify a disk encryption key. For information about how to create a disk encryption key, see Manage a key.
Transmission encryption
Description
ApsaraMQ for RocketMQ allows you to use Transport Layer Security (TLS) 1.2 to authenticate brokers on clients. This ensures the security of data transmission between brokers and clients.
Version and protocol mappings
The following table describes the compatibility among broker versions, protocols, and client versions.
Broker version | Protocol | Client version | Compatibility | TLS |
ApsaraMQ for RocketMQ 5.x | gRPC v2 | Compatible | By default, this feature is enabled. You can disable the feature only on clients that use the SDK for Java 5.0.5 or later. | |
Remoting | Compatible | By default, this feature is disabled. If you want to use the feature, you must manually enable the feature on the client. | ||
Compatible | ||||
ApsaraMQ for RocketMQ 4.x | Remoting | Compatible | By default, this feature is disabled. If you want to use the feature, you must manually enable the feature on the client and submit a ticket to enable the feature on the broker. | |
Compatible | ||||
gRPC v1 | Compatible | By default, this feature is enabled. You can manually disable the feature on clients. | ||
HTTP | Compatible | By default, this feature is enabled. |
Enable the TLS feature on clients
Clients that use ApsaraMQ for RocketMQ Java for SDK
In the Java Virtual Machine (JVM) startup parameters, add the
-Dtls.enable=truesetting.NoteIf the version of your ApsaraMQ for RocketMQ instance is 4.x, you must also submit a ticket to enable the TLS feature on the broker.
Clients that use the Remoting protocol
SDK for Java
Solution 1:
In the JVM startup parameters, add the
-Dtls.enable=truesetting.Solution 2:
In the message sending code, add the
producer.setUseTLS(true);setting.In the message consumption code, add the
consumer.setUseTLS(true);setting.
SDK for C++
In the message sending code, add the
producer.setEnableSsl(true);setting.In the message consumption code, add the
consumer.setEnableSsl(true);setting.NoteIf your ApsaraMQ for RocketMQ instance is of version 4.x, you must also submit a ticket to enable the TLS feature on the broker.
Clients that use the gRPC protocol
By default, the TLS feature is enabled. If you use a client that uses the SDK for Java V5.0.5 or later, you can set the
enableSslparameter tofalseto disable the feature.ClientConfiguration clientConfiguration = ClientConfiguration.newBuilder() .setEndpoints(endpoints) // On some Windows platforms, you may encounter SSL compatibility issues. Try turning off the SSL option in // client configuration to solve the problem please if SSL is not essential. .enableSsl(false) .setCredentialProvider(sessionCredentialsProvider) .build();