This topic describes how to configure disk encryption for an ApsaraDB RDS for PostgreSQL instance. Disk encryption is used to ensure data security.

Background information

Disk encryption protects your data that is stored on standard SSDS or enhanced SSDs (ESSDs) and eliminates the need to modify your business or application. In addition, ApsaraDB RDS automatically applies disk encryption to both the snapshots that are generated from the encrypted standard SSDS or ESSDs and to the standard SSDs or ESSDs that are created from those snapshots.

Disk encryption is free of charge. You do not need to pay for the read and write operations that you perform on the encrypted standard SSDs or ESSDs.


  • Your RDS instance is equipped with standard SSDs or ESSDs.
  • A customer master key (CMK) that is used for disk encryption is created. For more information, see the "Procedure" section of this topic. You can enable disk encryption for your RDS instance only when you create the RDS instance.


  • Disk encryption cannot be disabled after it is enabled.
  • Cross-region backups are not supported for RDS instances for which disk encryption is enabled.
  • After disk encryption is enabled, the snapshots that are generated by your RDS instance carry over the disk encryption settings. All new RDS instances with standard SSDs or ESSDs that are created from these snapshots also carry over the disk encryption settings.
  • If your Alibaba Cloud Key Management Service (KMS) is overdue, the standard SSDs or ESSDs of your RDS instance become unavailable. Make sure that your KMS works as normal. For more information, see What is KMS?
  • If you disable or delete the CMK that is used for disk encryption, your RDS instance cannot run as normal. For example, you cannot create snapshots, restore data from snapshots, or rebuild the secondary RDS instance of your RDS instance.


  1. Log on to the KMS console.
  2. In the top navigation bar, select the region where you want to create an RDS instance.
  3. Click Create Key.
  4. Configure the following parameters.
    Parameter Description
    KMS Instance The KMS instance that you use. KMS instances can be deployed in the VPC of a tenant to allow access over private networks.

    For more information, see Overview.

    Key Spec The type of the CMK. Valid values:
    • Symmetric:
      • Aliyun_AES_256
      • Aliyun_SM4
    • Asymmetric:
      • RSA_2048
      • RSA_3072
      • EC_P256
      • EC_P256K
      • EC_SM2
    Note Aliyun_SM4 and EC_SM2 types are supported only for regions in mainland China where managed hardware security modules (HSMs) are used.
    Purpose The purpose of the CMK. Valid values:
    • Encrypt/Decrypt: encrypts or decrypts data.
    • Sign/Verify: generates or verifies a digital signature.
    Alias Name The alias of the CMK, which helps identify the CMK. Aliases are optional to CMKs.

    For more information, see Overview.

    Protection Level The protection level of the CMK. Valid values:
    • Software: The CMK is protected by using a software module.
    • Hsm: The CMK is managed in an HSM, which is dedicated to safeguard the CMK.
    Description The description of the CMK.
    Rotation Period The interval of automatic rotation. Valid values:
    • 30 Days
    • 90 Days
    • 180 Days
    • 365 Days
    • Disable: Automatic rotation is disabled.
    • Customize: You can customize an interval that ranges from 7 days to 730 days.
    Note You can specify this parameter only when you set the Key Spec parameter to Aliyun_AES_256 or Aliyun_SM4.
  5. Click OK.
  6. On the Cloud Resource Access Authorization page, click Confirm Authorization Policy. Then, the created RDS instance can access your cloud resources. This step is required only when you enable disk encryption for the first time.
    Note You can log on to the RAM console to check whether you have the permissions of the AliyunRDSInstanceEncryptionDefaultRole RAM role.
  7. Create an RDS instance. During this process, select Disk Encryption. For more information, see Create an ApsaraDB RDS for PostgreSQL instance.
    Note After the RDS instance is created, you can go to the Basic Information page of the instance and view the CMK that is used for disk encryption.