MaxCompute allows you to use Key Management Service (KMS) to encrypt data for storage. MaxCompute provides static data protection to meet the requirements of enterprise governance and security compliance. This topic describes the data encryption mechanism of MaxCompute. This topic also provides the limits of this mechanism, the procedure of enabling data encryption for a MaxCompute project, and the billing information.

Data encryption mechanism

MaxCompute uses customer master keys (CMKs) from KMS to encrypt or decrypt data based on the following data encryption mechanism:
  • MaxCompute uses CMKs from KMS to encrypt or decrypt data. The data encryption feature is enabled for a MaxCompute project. Before you use the data encryption feature, make sure that you activate KMS in the region to which your MaxCompute project belongs.
  • You can create and manage a CMK in the KMS console to ensure the security of the CMK.
  • MaxCompute supports the AES-256, AESCTR, and RC4 encryption algorithms.
  • MaxCompute allows you to use CMKs that are created based on DataWorks Default Key and bring-your-own-keys (BYOKs) to encrypt or decrypt data.
    • When you create a MaxCompute project, you can set Key to Dataworks Default Key in the MaxCompute console.

      MaxCompute automatically creates a key for the MaxCompute project in KMS and uses the key as the CMK of the project. You can view the key information in the KMS console.

    • To meet business and security requirements in different scenarios, MaxCompute can use BYOKs to encrypt or decrypt data.

      You can create BYOKs in the KMS console and select one as the CMK when you create a MaxCompute project. For more information about how to create a CMK in KMS, see CreateKey.

    • If a MaxCompute project needs to use a BYOK, you must complete Resource Access Management (RAM) authorization as prompted when you create the project.

Limits

The data encryption feature of MaxCompute has the following limits:
  • If the data encryption feature is enabled for a MaxCompute project, you can use a Hologres external table in the project to query data from a Hologres instance only of V1.1 or later.
  • You can enable the data encryption feature only for newly created projects. If you want to enable the data encryption feature for existing projects, submit a ticket to contact the MaxCompute team.
  • Your operations such as the disable or delete operation on your CMKs in KMS may affect data encryption and decryption in MaxCompute. MaxCompute caches historical configurations. Your operations in KMS take effect in a delayed manner within 24 hours.

Procedure

To enable the data encryption feature for a MaxCompute project, perform the following steps:
  1. Log on to the Key Management Service console. On the Key Management Service page, read the terms of service, select Key Management Service Terms of Service, and then click Activate Now to activate KMS. Activate KMS
    Note You can skip this step if you have activated KMS in the region to which your project belongs.
  2. Log on to the DataWorks console. In the left-side navigation pane, click Workspaces.
  3. On the Workspaces page, select a region in the upper-left corner and click Create Workspace. In the Create Workspace panel, configure the parameters in the Basic Settings step and click Next. For more information, see Create a MaxCompute project.
  4. In the Select Engines and Services step, select MaxCompute in the Compute Engines section.
  5. In the Perform ODPS service account authorization message, click Authorization.
    Perform ODPS service account authorization
  6. On the Cloud Resource Access Authorization page, click Confirm Authorization Policy.
    Confirm Authorization Policy
  7. Close the Perform ODPS service account authorization message. In the Select Engines and Services step, select MaxCompute in the Compute Engines section again and click Next.
  8. Configure the parameters in the Engine Details step. In the Engine Details step, select Encryption for the Whether to encrypt parameter to enable the data encryption feature.
    The following table describes the parameters that you must configure when you create a workspace in basic mode. Engine Details
    Item Parameter Description
    MaxCompute Instance Display Name The display name of the compute engine instance. The display name must be 3 to 27 characters in length, and can contain only letters, digits, and underscores (_). It must start with a letter.
    Resource Group The resource group that provides the quotas of computing resources and disk space for the compute engine instance. For more information, see Use MaxCompute Management.
    MaxCompute Data Type Edition The data type edition of MaxCompute. Valid values: MaxCompute V2.0 Data Type Edition (Recommended), MaxCompute V1.0 Data Type Edition (Suitable for Early MaxCompute Projects), and Hive-Compatible Data Type Edition (Suitable for MaxCompute Projects Migrated from Hadoop). For more information, see Data type editions.
    MaxCompute Project Name The name of the MaxCompute project. If you create a DataWorks workspace in basic mode, the project name is automatically set to the name that you specified for the DataWorks workspace. If you select Standard Mode (Development and Production Environments) for Mode in the Basic Settings step, the value is fixed to the name you specified for the workspace_dev in the Development Environment section. In the Production Environment section, the value is set to the name you specified for the workspace, and you can change the value.
    Account for Accessing MaxCompute The identity that you used to access the MaxCompute project. In the development environment, the value is fixed to Node Owner.

    In the production environment, the valid values are Alibaba Cloud Account and RAM User.

    Whether to encrypt Specifies whether to enable the data encryption feature for the MaxCompute project.
    Key The type of the key that is used in the MaxCompute project. Valid values: Dataworks Default Key and BYOK. If you select Dataworks Default Key, the key that MaxCompute automatically creates for the project in KMS is used in the project.
    Algorithm The encryption algorithm that is supported by the key. Valid values: AES256, AESCTR, and RC4.
  9. Click Create Workspace.

    After the data encryption feature is enabled, MaxCompute automatically encrypts or decrypts data that is written to and read from the MaxCompute project.

Billing

You are not charged for enabling the data encryption feature for MaxCompute projects. During data encryption and decryption, MaxCompute interacts with the API operations of KMS. You are charged for using KMS. For more information about billing, see Billing.