Configure TDE - User Guide| Alibaba Cloud Documentation Center

You can use Transparent Data Encryption (TDE) to encrypt data files when the files are written to disks and decrypt data files when the files are loaded to the memory from disks. If you use TDE, the sizes of the data files do not increase. Developers do not need to modify applications to use TDE.

Prerequisites

Only PolarDB for MySQL clusters whose Editions are Cluster Edition or Single Node Edition support TDE. TDE is not supported by Archive Database Edition.
PolarDB for MySQL clusters of the Cluster and Single Node versions must meet specific requirements. The following table describes the requirements based on the edition and version.
Alibaba Cloud Key Management Service (KMS) is activated. For more information, see Activate KMS.
ApsaraDB RDS is authorized to access KMS. For more information, see Authorize an ApsaraDB RDS for MySQL instance to access KMS.

Background information

TDE for PolarDB for MySQL adopts the Advanced Encryption Standard (AES) algorithm. The key length is 256 bits. The keys that are used in TDE are generated and managed by KMS. PolarDB for MySQL does not provide keys or certificates. In some zones, you can use the keys that are automatically generated by Alibaba Cloud. You can also use your own key materials to generate keys. Then, authorize PolarDB for MySQL to use these keys.

Note

In I/O bound scenarios, TDE may adversely affect the performance of your databases.
You cannot enable TDE for clusters that are connected to a global database network (GDN). Clusters for which TDE is enabled cannot be connected to a GDN.

Procedure

Notice

After you enable TDE for a PolarDB cluster, the cluster is automatically restarted. Proceed with caution.
After TDE is enabled, you cannot disable TDE.

Log on to the PolarDB console.
In the upper-left corner of the console, select the region where the cluster that you want to manage is deployed.
Find the cluster you want to manage and click the cluster ID.
In the left-side navigation pane, choose Settings and Management > Security Management.
On the TDE Settings tab, turn on TDE Status.
In the Configure TDE dialog box, select Use Default Key of KMS or Use Existing Custom Key.

Note TDE supports the following keys: Aliyun_AES_256 and Aliyun_SM4.
- In the dialog box that appears, select Use Default Key of KMS and click OK.
- If you choose Use Existing Custom Key, select a key generated by KMS from the drop-down list and click OK.
  Note
  
  If you do not have a custom key, click Create Custom Key. In the KMS console, create a key and import your key materials. For more information, see Create a CMK.
  
  When you use an existing custom key, you must take note of the following limits:
  
  If you disable a key, configure a key deletion plan, or delete the key materials, the key becomes unavailable.
  
  If you revoke the authorization to a cluster of the ApsaraDB PolarDB MySQL-compatible edition, the cluster becomes unavailable after you restart the cluster.
  
  You must use an Alibaba Cloud account or an account that has the AliyunSTSAssumeRoleAccess permission.
It requires approximately 10 minutes to enable TDE.

Advanced settings

Note You can enable the Advanced Settings feature only when the cluster version is PolarDB for MySQL 8.0 and the minor kernel version is 8.0.1.1.15 or later.

When you enable TDE, you can enable the Advanced Settings feature in the Configure TDE dialog box. After this feature is enabled, all newly created tables are automatically encrypted. Enable advanced settings

Encrypt and decrypt tables

Note If you turn on Advanced Settings, created tables are automatically encrypted and you do not need to manually encrypt the created tables. For existing tables, you need to perform specific operations to encrypt data.

To encrypt or decrypt MySQL tables after you enable TDE, you must log on to the database and execute the relevant DDL statements. The following table lists the DDL statements that are executed to encrypt and decrypt tables in the ApsaraDB PolarDB MySQL-compatible edition of different kernel versions.


Operation	ApsaraDB PolarDB MySQL-compatible edition 5.6	ApsaraDB PolarDB MySQL-compatible edition 5.7 & ApsaraDB PolarDB MySQL-compatible edition 8.0
Encryption	`alter table <tablename> block_format=encrypted;`	`alter table <tablename> encryption= 'Y';`
Decryption	`alter table <tablename> block_format=default;`	`alter table <tablename> encryption= 'N';`

Note When you execute the preceding alter table statements to encrypt or decrypt a table, the table is locked.