All Products
Document Center

ApsaraDB for MongoDB:Configure TDE for an ApsaraDB for MongoDB instance

Last Updated:Dec 26, 2023

You can use TDE to perform real-time I/O encryption and decryption on data files. Data is encrypted before it is written to the disk and is decrypted when it is read from the disk to the memory. TDE does not increase the sizes of data files. To use TDE, you do not need to modify your application. To improve data security, you can enable TDE for an instance in the ApsaraDB for MongoDB console to encrypt instance data.


  • The instance is a replica set or sharded cluster instance.

  • The instance uses WiredTiger as the storage engine.

  • The instance uses local disks to store data.

  • The instance runs MongoDB 4.0 or 4.2. If the database engine version of the instance is earlier than MongoDB 4.0, upgrade the database version. For more information, see Upgrade the major version of an ApsaraDB for MongoDB instance.


    Before you enable TDE, you can create a pay-as-you-go instance of MongoDB 4.0 or 4.2 to test the compatibility between your application and the database version. You can release the instance after you complete the test.

If the architecture or storage engine of your instance does not meet your requirements, you can create a new instance that does and migrate the data of the original instance to the new instance. For more information, see Overview.


  • When you enable TDE, your instance is restarted, and your application is disconnected from the instance. We recommend that you enable TDE during off-peak hours and make sure that your application can reconnect to the instance after it is disconnected.

  • After TDE is enabled, the CPU utilization of your instance increases.

  • You cannot restore TDE-encrypted collections to a self-managed database by using physical backup. To restore TDE-encrypted collections to a self-managed database, you can use logical backup. For more information, see Restore data of an ApsaraDB for MongoDB instance to a self-managed MongoDB database by using logical backup.


  • You cannot disable TDE after it is enabled.

  • After you enable TDE for an instance, the instance cannot be restored from the recycle bin if the instance is released.

  • You can enable TDE only for instances. TDE can encrypt data only in collections. You can perform manual operations to encrypt field data. This feature is supported only by MongoDB 4.2. For more information, see Explicit (Manual) Client-Side Field Level Encryption.


    When you create a collection, you can disable encryption for the collection. For more information, see the "Disable encryption for a specified collection" section of this topic.

  • After you enable TDE, only new collections are encrypted. Existing collections are not encrypted.

  • Key Management Service (KMS) generates and manages the keys used by TDE. ApsaraDB for MongoDB does not provide keys or certificates required for encryption. For more information about KMS, see What is Key Management Service?.


  1. Log on to the ApsaraDB for MongoDB console.

  2. In the left-side navigation pane, click Replica Set Instances or Sharded Cluster Instances based on the instance type.

  3. In the upper-left corner of the page, select the resource group and region to which the instance belongs.

  4. Click the ID of an instance, or click More icon in the Actions column corresponding to the instance and select Manage.

  5. In the left-side navigation pane of the instance details page, choose Data Security > TDE.

  6. Turn on the switch next to TDE Status:.

  7. In the Enable TDE dialog box, select a key generation method.

    • Use Automatically Generated Key: uses a key automatically generated by the system.

    • Use Custom Key: selects a custom key from the drop-down list. If no custom keys are displayed in the drop-down list, create a custom key and then select the key. For more information about how to create a custom key, see Create a CMK.

  8. Click OK.

    The instance enters the Modifying TDE state. When the instance state changes to Running, TDE is enabled.

Disable encryption for a specified collection

After you enable TDE, all new collections are encrypted. When you create a collection, you can perform the following steps to disable encryption for the collection:

  1. Connect to a replica set instance by using the mongo shell or a sharded cluster instance. For more information, see Connect to a replica set instance by using the mongo shell or Connect to a sharded cluster ApsaraDB for MongoDB instance by using the mongo shell.

  2. Create a collection with encryption disabled.

    • Syntax:

      db.createCollection("<collection_name>",{ storageEngine: { wiredTiger: { configString: "encryption=(name=none)" } } })

      In the syntax, collection_name indicates the name of the collection.

    • Example:

      db.createCollection("customer",{ storageEngine: { wiredTiger: { configString: "encryption=(name=none)" } } })