Transparent Data Encryption (TDE) allows you to perform real-time I/O encryption and decryption on data files. Data is encrypted before it is written to the disk and is decrypted when it is read from the disk to the memory. After you enable TDE for your PolarDB for MySQL cluster, the size of data files in your PolarDB for MySQL cluster does not increase. You can use TDE without the need to modify the configurations of your application.
- Only PolarDB for MySQL clusters whose Edition is Cluster Edition or Single Node Edition support TDE. TDE is not supported by X-Engine Edition.
PolarDB for MySQL clusters of Cluster Edition and Single Node Edition must meet specific requirements. The following table describes the requirements based on PolarDB edition and MySQL versions.
Edition MySQL version Support for TDE Cluster Edition 5.6 The revision version must be V22.214.171.124.21 or later. 5.7 The revision version must be V126.96.36.199.3 or later. 8.0 The revision version must be V188.8.131.52.1 or later. Single Node Edition 5.6 The revision version must be V184.108.40.206.21 or later. 5.7 The revision version must be V220.127.116.11.3 or later. 8.0 The revision version must be V18.104.22.168.1 or later. X-Engine Edition 8.0 Not supported.
- Key Management Service (KMS) is activated. For more information, see Purchase a dedicated KMS instance.
- ApsaraDB RDS is authorized to access KMS. For more information, see Authorize ApsaraDB RDS for MySQL to access KMS.
TDE for PolarDB for MySQL adopts the Advanced Encryption Standard (AES) algorithm. The key length is 256 bits. The keys that are used in TDE are generated and managed by KMS. PolarDB for MySQL does not provide keys or certificates. In some zones, you can use the keys that are automatically generated by Alibaba Cloud. You can also use your own key materials to generate keys. Then, authorize PolarDB for MySQL to use these keys.
- In I/O bound scenarios, TDE may adversely affect the performance of your databases.
- TDE can be enabled on clusters that have joined a global database network (GDN). After TDE is enabled on the primary cluster in a GDN, TDE is enabled on the secondary clusters in the GDN by default. The key used by the secondary clusters and the region for the key resides must be the same as the primary cluster. The region of the key cannot be modified.
- You cannot enable TDE for the secondary clusters in a GDN.
- After you enable TDE for a PolarDB for MySQL cluster, the cluster is automatically restarted. Proceed with caution.
- After TDE is enabled, you cannot disable TDE.
- Log on to the PolarDB console.
- In the upper-left corner of the console, select the region in which the cluster that you want to manage is deployed.
- Find the cluster and click the cluster ID.
- In the left-side navigation pane, choose .
- On the TDE Settings tab, turn on TDE Status.
- In the Configure TDE dialog box, select Use Default Key of KMS or Use Existing Custom Key. Note TDE supports the following keys:
It requires approximately 10 minutes to enable TDE.
- In the dialog box that appears, select Use Default Key of KMS and click OK.
- If you choose Use Existing Custom Key, select a key generated by KMS from the drop-down list and click OK. Note
- If you do not have a custom key, you need to click go to the KMS console. In the KMS console, you can create a key and import your own key material. For more information, see Create a CMK.
- If you use an existing custom key for TDE, take note of the following information:
- If you disable the key, configure a plan to delete the key, or delete the key material, the key becomes unavailable.
- If you revoke the authorization to a PolarDB for MySQL cluster, the cluster becomes unavailable after you restart the cluster.
- You must use an Alibaba Cloud account or an account that has the AliyunSTSAssumeRoleAccess permission.
Encrypt and decrypt tables
|Item||PolarDB for MySQL 5.6||PolarDB for MySQL 5.7 and PolarDB for MySQL 8.0|