Disk encryption protects data at rest on PolarDB for MySQL clusters using Elastic Block Storage (EBS). Even if a data backup is leaked, its contents cannot be decrypted. The feature is free, requires no application changes, and automatically extends to all snapshots the cluster creates.
You can only enable disk encryption when you purchase a cluster. It cannot be enabled on an existing cluster and cannot be disabled after it is enabled. Evaluate this setting before purchasing.
Prerequisites
Before you begin, ensure that a PolarDB service-linked role named AliyunServiceRoleForPolarDB exists in your Alibaba Cloud account.
To check and create the role:
Log in to the RAM console with your Alibaba Cloud account. Go to Identity Management > Roles.
Check whether a role named AliyunServiceRoleForPolarDB appears in the list.
If it exists, no further action is needed.
If it does not exist, proceed to the next step.
Click Create Role. On the Create Role page, click Create Service Linked Role in the upper-right corner.
Set Trusted Service to AliyunServiceRoleForPolarDB, then click Create Service Linked Role.
Supported configurations
Disk encryption is available only on clusters with all of the following:
| Attribute | Supported values |
|---|---|
| Edition | Standard Edition |
| Instance type | General-purpose or Dedicated |
| CPU architecture | Yitian ARM or x86 |
| Storage class | PL0 ESSD, PL1 ESSD, PL2 ESSD, PL3 ESSD, or ESSD AutoPL disk |
Limitations
| Limitation | Details |
|---|---|
| Enable at purchase only | You can only enable disk encryption when you purchase a cluster. It cannot be enabled on an existing cluster. |
| Cannot be disabled | Once encryption is enabled, it cannot be turned off. |
| Default Service CMK only | Only the default service Customer Master Key (CMK) managed by Alibaba Cloud is supported. Custom Key Management Service (KMS) keys are not supported. |
| Snapshots inherit encryption | All snapshots created by the cluster, and all Standard Edition clusters restored from those snapshots, are automatically encrypted with the same setting. |
Billing
Disk encryption is free. There are no additional charges for read or write operations on encrypted disks.
Enable disk encryption
When purchasing a cluster that meets the supported configurations listed above:
Select a storage class.
Select Enable Disk Encryption.
For the key, select Default Service CMK.
Verify disk encryption status
Log in to the PolarDB console. In the left navigation pane, click Clusters. Select the region where your cluster resides, then click the cluster ID.
In the left navigation pane, click Settings and Management > Security.
Click the Cloud Drive Encryption tab. If Data disk encryption status: shows Encrypted, disk encryption is active for the cluster.