You can use Transparent Data Encryption (TDE) to encrypt data files when the files are written to disks and decrypt data files when the files are loaded to the memory from disks. If you use TDE, the sizes of the data files do not increase. Developers do not need to modify applications to use TDE.
Prerequisites
- Only PolarDB for MySQL clusters whose Editions are Cluster Edition or Single Node Edition support TDE. TDE is not supported by Archive Database Edition.
PolarDB for MySQL clusters of the Cluster and Single Node versions must meet specific requirements. The following table describes the requirements based on the edition and version.
- Alibaba Cloud Key Management Service (KMS) is activated. For more information, see Activate KMS.
- ApsaraDB RDS is authorized to access KMS. For more information, see Authorize an ApsaraDB RDS for MySQL instance to access KMS.
Background information
TDE for PolarDB for MySQL adopts the Advanced Encryption Standard (AES) algorithm. The key length is 256 bits. The keys that are used in TDE are generated and managed by KMS. PolarDB for MySQL does not provide keys or certificates. In some zones, you can use the keys that are automatically generated by Alibaba Cloud. You can also use your own key materials to generate keys. Then, authorize PolarDB for MySQL to use these keys.
Note
- In I/O bound scenarios, TDE may adversely affect the performance of your databases.
- You cannot enable TDE for clusters that are connected to a global database network (GDN). Clusters for which TDE is enabled cannot be connected to a GDN.
Procedure
- After you enable TDE for a PolarDB cluster, the cluster is automatically restarted. Proceed with caution.
- After TDE is enabled, you cannot disable TDE.
Advanced settings

Encrypt and decrypt tables
Operation | ApsaraDB PolarDB MySQL-compatible edition 5.6 | ApsaraDB PolarDB MySQL-compatible edition 5.7 & ApsaraDB PolarDB MySQL-compatible edition 8.0 |
---|---|---|
Encryption |
|
|
Decryption |
|
|