You can use the disk encryption feature to encrypt data disks based on block storage. Snapshots that are created from encrypted disks and disks that are created from the snapshots are automatically encrypted. This provides maximum protection for data stored in the disks. Disk encryption does not affect your business workloads. You do not need to modify the code of your application. This topic describes how to enable the disk encryption feature for an ApsaraDB for MongoDB instance.
Prerequisites
The instance for which you want to enable the disk encryption feature is a replica set or sharded cluster instance that uses enhanced SSDs (ESSDs).
Billing
You can use the disk encryption feature free of charge. However, you are charged for Key Management Service (KMS). For information about the pricing of KMS, see Billing of KMS.
Usage notes
You can enable the disk encryption feature for an instance only when you create the instance. You cannot disable the feature after it is enabled.
After you enable the disk encryption feature for your ApsaraDB for MongoDB instance, the snapshots that are created for your instance and the disks that are created from the snapshots are automatically encrypted.
If you have overdue payments for KMS within your Alibaba Cloud account, disks that are created from the snapshots cannot be decrypted. This way, your ApsaraDB for MongoDB instance becomes unavailable. Make sure that the customer master key (CMK) that is used for disk encryption is normal. For more information about KMS, see What is Key Management Service?
If you disable or delete the CMK, your ApsaraDB for MongoDB instance cannot run as expected. For example, you cannot modify configurations, create snapshots, restore data from snapshots, or rebuild the secondary instance of your instance.
After you release an ApsaraDB for MongoDB instance for which the disk encryption feature is enabled, all data stored in the instance is immediately deleted, and the instance cannot be recycled. Proceed with caution.
Enable the disk encryption feature for an instance
Go to the ApsaraDB for MongoDB buy page.
Configure the parameters described in the following table.
Parameter
Description
Storage Type
The storage type of the instance. You must select ESSD storage type for the instance. Only ESSDs support the disk encryption feature.
Encryption Type
The encryption type of the instance. Select Encryption.
Service-linked Role
The Resource Access Management (RAM) role that only the linked Alibaba Cloud service can assume. A service-linked role is required to use the disk encryption feature. If you have already created a service-linked role, Created is displayed on the buy page. If you have not created a service-linked role, click Create Service-linked Role.
Encryption Key
The CMK that is used for disk encryption.
If no CMK exists in the current region, you can create a CMK in the KMS console. For more information, see Create a CMK.
For more information about parameters that you must configure to create an instance and how to create an instance, see Create a replica set instance or Create a sharded cluster instance.