This topic describes the data encryption features in ApsaraDB for MongoDB.
ApsaraDB for MongoDB provides Secure Sockets Layer (SSL). You can prevent man-in-the-middle
attacks by using the server root certificate to verify whether the destination database
is an ApsaraDB for MongoDB instance. ApsaraDB for MongoDB also allows you to enable
and update SSL certificates for servers to ensure data security and validity. For
more information about how to set SSL, see Configure SSL encryption for an ApsaraDB for MongoDB instance
Notice Although ApsaraDB for MongoDB can encrypt the connection between an application and
a database, SSL cannot run properly until the application authenticates the server.
In addition, SSL consumes extra CPU resources and affects the throughput and response
time of ApsaraDB for MongoDB instances to a certain degree. The specific impact varies
depending on the number of user connection times and the data transfer frequency.
ApsaraDB for MongoDB provides Transparent Data Encryption (TDE). TDE adopts the Advanced
Encryption Standard (AES) algorithm. The key for TDE is encrypted and stored by KMS.
ApsaraDB for MongoDB dynamically reads the key only once when the instance is started
or migrated. You can log on to the Key Management Service console and replace the
After TDE is enabled for an ApsaraDB for MongoDB instance, the data of the specified
database or collection is encrypted before being written to any device such as an
HDD, SSD, or PCIe card, or to any service such as OSS. Therefore, data files and backups
of the instance are all in ciphertext. For more information about how to set TDE,
see Configure TDE for an ApsaraDB for MongoDB instance.