Transparent Data Encryption (TDE) allows you to perform real-time I/O encryption and decryption on data files. Data is encrypted before it is written to the disk and is decrypted when it is read from the disk to the memory. After you enable TDE for your PolarDB for MySQL cluster, the size of data files in your PolarDB for MySQL cluster does not increase. You can use TDE without the need to modify the configurations of your application.

Prerequisites

  • Only PolarDB for MySQL clusters whose Edition is Cluster Edition or Single Node Edition support TDE. TDE is not supported by X-Engine Edition.

    PolarDB for MySQL clusters of Cluster Edition and Single Node Edition must meet specific requirements. The following table describes the requirements based on PolarDB edition and MySQL versions.

    EditionMySQL versionSupport for TDE
    Cluster Edition5.6The revision version must be V5.6.1.0.21 or later.
    5.7The revision version must be V5.7.1.0.3 or later.
    8.0The revision version must be V8.0.1.1.1 or later.
    Single Node Edition5.6The revision version must be V5.6.1.0.21 or later.
    5.7The revision version must be V5.7.1.0.3 or later.
    8.0The revision version must be V8.0.1.1.1 or later.
    X-Engine Edition8.0Not supported.
  • Key Management Service (KMS) is activated. For more information, see Purchase a dedicated KMS instance.
  • ApsaraDB RDS is authorized to access KMS. For more information, see Authorize ApsaraDB RDS for MySQL to access KMS.

Background information

TDE for PolarDB for MySQL adopts the Advanced Encryption Standard (AES) algorithm. The key length is 256 bits. The keys that are used in TDE are generated and managed by KMS. PolarDB for MySQL does not provide keys or certificates. In some zones, you can use the keys that are automatically generated by Alibaba Cloud. You can also use your own key materials to generate keys. Then, authorize PolarDB for MySQL to use these keys.

Precautions

  • In I/O bound scenarios, TDE may adversely affect the performance of your databases.
  • TDE can be enabled on clusters that have joined a global database network (GDN). After TDE is enabled on the primary cluster in a GDN, TDE is enabled on the secondary clusters in the GDN by default. The key used by the secondary clusters and the region for the key resides must be the same as the primary cluster. The region of the key cannot be modified.
  • You cannot enable TDE for the secondary clusters in a GDN.

Procedure

Important
  • After you enable TDE for a PolarDB for MySQL cluster, the cluster is automatically restarted. Proceed with caution.
  • After TDE is enabled, you cannot disable TDE.
  1. Log on to the PolarDB console.
  2. In the upper-left corner of the console, select the region in which the cluster that you want to manage is deployed.
  3. Find the cluster and click the cluster ID.
  4. In the left-side navigation pane, choose Settings and Management > Security Management.
  5. On the TDE Settings tab, turn on TDE Status.
    Enable TDE for a PolarDB for MySQL cluster
  6. In the Configure TDE dialog box, select Use Default Key of KMS or Use Existing Custom Key.
    Use a key that is automatically generated by Alibaba Cloud
    Note TDE supports the following keys: Aliyun_AES_256 and Aliyun_SM4.
    • In the dialog box that appears, select Use Default Key of KMS and click OK.
    • If you choose Use Existing Custom Key, select a key generated by KMS from the drop-down list and click OK. Custom key
      Note
      • If you do not have a custom key, you need to click go to the KMS console. In the KMS console, you can create a key and import your own key material. For more information, see Create a CMK.
      • If you use an existing custom key for TDE, take note of the following information:
        • If you disable the key, configure a plan to delete the key, or delete the key material, the key becomes unavailable.
        • If you revoke the authorization to a PolarDB for MySQL cluster, the cluster becomes unavailable after you restart the cluster.
        • You must use an Alibaba Cloud account or an account that has the AliyunSTSAssumeRoleAccess permission.
    It requires approximately 10 minutes to enable TDE.

Advanced settings

Note You can enable the Advanced Settings feature only when the cluster version is PolarDB for MySQL 8.0 and the minor kernel version is 8.0.1.1.15 or later.
When you enable TDE, you can enable the Advanced Settings feature in the Configure TDE dialog box. After this feature is enabled, all newly created tables are automatically encrypted. Enable advanced settings

Encrypt and decrypt tables

Note If you turn on Advanced Settings, created tables are automatically encrypted and you do not need to manually encrypt the created tables. For existing tables, you need to perform specific operations to encrypt data.
To encrypt or decrypt tables after you enable TDE, you must log on to the database and execute the relevant DDL statements. The following table lists the DDL statements that are executed to encrypt and decrypt tables in the PolarDB for MySQL cluster of different MySQL versions.
ItemPolarDB for MySQL 5.6PolarDB for MySQL 5.7 and PolarDB for MySQL 8.0
Encryption
alter table <tablename> block_format=encrypted;
alter table <tablename> encryption= 'Y';
Decryption
alter table <tablename> block_format=default;
alter table <tablename> encryption= 'N';
Note When you execute the preceding alter table statements to encrypt or decrypt a table, the table is locked.