All Products
Search

This Product

    ApsaraDB for MongoDB:Enable Transparent Data Encryption (TDE)

    Document Center

    ApsaraDB for MongoDB:Enable Transparent Data Encryption (TDE)

    Last Updated:Mar 24, 2026

    Transparent Data Encryption (TDE) encrypts data as it is written to storage and decrypts it when it is read from storage. TDE does not increase the size of data files and requires no changes to your applications. To enhance data security, enable TDE for your instance in the ApsaraDB for MongoDB console.

    Prerequisites

    • The instance is a replica set instance or a sharded cluster instance.

    • The storage engine of the instance is WiredTiger.

    • If the instance uses local SSDs, its database version must be 4.0 or 4.2.

    • If the instance uses cloud disks, its database version must be 4.4 or 5.0. If the database version is earlier, you can upgrade the major database version.

      Note

      Before enabling TDE, create a compatible pay-as-you-go instance to test application compatibility. You can release the instance after the test is complete.

    • You have enabled KMS.

    If your instance does not meet the architecture or storage engine requirements, you can change the instance configuration.

    Impact

    • Enabling TDE restarts the instance, which causes a transient connection interruption. Perform this operation during off-peak hours and ensure your application has a reconnection mechanism.

    • After you enable TDE, the CPU utilization of the instance increases.

    • To restore an encrypted collection to a self-managed database, you must use a logical backup, not a physical backup. For more information, see Restore data to a self-managed database by using a logical backup.

    Considerations

    • Once enabled, TDE cannot be disabled.

    • A TDE-enabled instance that has been released cannot be restored from the Recycle Bin.

    • TDE is enabled at the instance level and supports only collection-level encryption. To perform field-level encryption, see Client-Side Field Level Encryption. This feature is available only for MongoDB 4.2 instances.

      Note

      If you have specific business requirements, you can specify that a collection is not encrypted when you create it. For more information, see Exclude a collection from encryption.

    • After you enable TDE, only newly created collections are encrypted. Existing collections remain unencrypted.

    • Key Management Service (KMS) generates and manages the keys used by TDE. ApsaraDB for MongoDB does not provide the keys or certificates required for encryption. For more information about KMS, see What is Key Management Service?

      Note

      Currently, only the default key of KMS is supported.

    • Key rotation is not supported. To change keys, you must migrate the data to a new instance by using Data Transmission Service (DTS). For more information about data migration, see Migrate data between ApsaraDB for MongoDB instances.

    Procedure

    1. Go to the Replica Set Instances or Sharded Cluster Instances page, select a region and resource group in the top navigation bar, and then click the ID of the target instance.

    2. In the left-side navigation pane, click Data Security > TDE.

    3. Turn on the switch next to TDE Status:.

    4. In the Enable TDE dialog box, choose a key generation method.

      • Use Automatically Generated Key: Use a system-generated key.

      • Use Custom Key: Select a key from the drop-down list. If the key you want to use is not listed, create one and then select it. For more information about how to create a key, see Create a key.

        Note

        For custom keys, only the default KMS key is currently supported.

    5. Click OK.

      The instance status changes to Updating TDE. The operation completes when the instance status changes back to Running.

    Exclude a collection from encryption

    After you enable TDE, all new collections are encrypted by default. You can, however, exclude a specific collection from encryption during its creation.

    1. Connect to the database instance with the mongo shell. For more information, see Connect to a replica set instance or Connect to a sharded cluster instance.

    2. Run the following command to create an unencrypted collection:

      • Syntax:

        db.createCollection("<collection_name>",{ storageEngine: { wiredTiger: { configString: "encryption=(name=none)" } } })
        Note

        In the command, collection_name is the name of the collection.

      • Example:

        db.createCollection("customer",{ storageEngine: { wiredTiger: { configString: "encryption=(name=none)" } } })