All Products
Search

This Product

    ApsaraDB for MongoDB:Disk encryption

    Document Center

    ApsaraDB for MongoDB:Disk encryption

    Last Updated:Jun 08, 2026

    Disk encryption protects data at rest on your instance without requiring application changes.

    Prerequisites

    • Storage type: ESSD Cloud Disk.

    • Instance family: dedicated.

    • Architecture: replica set or sharded cluster.

    Billing

    Disk encryption is free. KMS charges apply per KMS 1.0 billing.

    Considerations

    • Disk encryption can only be enabled at instance creation and cannot be disabled later.

    • Snapshots and instances derived from an encrypted instance are automatically encrypted.

    • If your Key Management Service (KMS) account has overdue payments, disks cannot be decrypted and the instance becomes unavailable. Keep your KMS key valid to avoid service disruptions.

    • Disabling or deleting a KMS key disrupts operations such as configuration changes, snapshot creation and restoration, and secondary node rebuilds.

    • Only default KMS keys are supported.

    • Restoring an encrypted instance from the recycle bin requires its associated KMS key to be available.

    Enable disk encryption

    1. Go to the ApsaraDB for MongoDB purchase page.

    2. Set the following encryption parameters on the purchase page.

      Parameter

      Description

      StorageType

      Select ESSD Cloud Disk. Only ESSD supports disk encryption.

      Encryption Type

      Select Disk Encryption.

      Service-linked Role

      A service-linked role is required for disk encryption. If already created, the status shows Created. Otherwise, click Create Service-Linked Role.

      Encryption Key

      Select a KMS key for disk encryption.

      If no KMS key exists in the current region, create a key in the KMS console.

      Note

      Only default KMS keys are supported.

      For other parameters, use Create a replica set instance or Create a sharded cluster instance.