All Products
Document Center

PolarDB:Configure TDE for a PolarDB for MySQL cluster

Last Updated:Mar 12, 2024

Transparent Data Encryption (TDE) allows you to perform real-time I/O encryption and decryption on data files. Data is encrypted before it is written to the disk and is decrypted when it is read from the disk to the memory. After you enable TDE for your PolarDB for MySQL cluster, the size of data files in your PolarDB for MySQL cluster does not increase. You can use TDE without the need to modify the configurations of your application.


  • Only PolarDB for MySQL clusters whose Edition is Cluster Edition support TDE.

    PolarDB for MySQL clusters of Cluster Edition must meet specific requirements. The following table describes the requirements based on PolarDB edition and MySQL versions.


    MySQL version

    Support for TDE

    Cluster Edition


    The revision version must be V5. or later.


    The revision version must be V5. or later.


    The revision version must be V8. or later.

  • Key Management Service (KMS) is activated. For more information, see Purchase a dedicated KMS instance.

  • ApsaraDB RDS is authorized to access KMS. For more information, see Authorize ApsaraDB RDS for MySQL to access KMS.

Background information

TDE for PolarDB for MySQL adopts the Advanced Encryption Standard (AES) algorithm. The key length is 256 bits. The keys that are used in TDE are generated and managed by KMS. PolarDB for MySQL does not provide keys or certificates. In some zones, you can use the keys that are automatically generated by Alibaba Cloud. You can also use your own key materials to generate keys. Then, authorize PolarDB for MySQL to use these keys.


  • In I/O bound scenarios, TDE may adversely affect the performance of your databases.

  • TDE can be enabled on clusters that have joined a global database network (GDN). After TDE is enabled on the primary cluster in a GDN, TDE is enabled on the secondary clusters in the GDN by default. The key used by the secondary clusters and the region for the key resides must be the same as the primary cluster. The region of the key cannot be modified.

  • You cannot enable TDE for the secondary clusters in a GDN.


  • After you enable TDE for a PolarDB for MySQL cluster, the cluster is automatically restarted. Proceed with caution.

  • After TDE is enabled, you cannot disable TDE.

  1. Log on to the PolarDB console.

  2. In the top navigation bar, select the region in which the cluster that you want to manage is deployed.

  3. Find the cluster and click its ID.

  4. In the left-side navigation pane, choose Settings and Management > Security Management.

  5. On the TDE Settings tab, turn on TDE Status.

    Enable TDE for a PolarDB for MySQL cluster

  6. In the Configure TDE dialog box, select Use Default Key of KMS or Use Existing Custom Key.

    Use a key that is automatically generated by Alibaba Cloud


    TDE supports the following keys: Aliyun_AES_256 and Aliyun_SM4.

    • In the dialog box that appears, select Use Default Key of KMS and click OK.

    • If you choose Use Existing Custom Key, select a key generated by KMS from the drop-down list and click OK. Custom key

      • If you do not have a custom key, you need to click go to the KMS console. In the KMS console, you can create a key and import your own key material. For more information, see Create a CMK.

      • If you use an existing custom key for TDE, take note of the following information:

        • If you disable the key, configure a plan to delete the key, or delete the key material, the key becomes unavailable.

        • If you revoke the authorization to a PolarDB for MySQL cluster, the cluster becomes unavailable after you restart the cluster.

        • You must use an Alibaba Cloud account or an account that has the AliyunSTSAssumeRoleAccess permission.

    It requires approximately 10 minutes to enable TDE.

Advanced settings


You can enable the Advanced Settings feature only when the cluster version is PolarDB for MySQL 8.0 and the minor kernel version is or later.

When you enable TDE, you can enable the Advanced Settings feature in the Configure TDE dialog box. After this feature is enabled, all newly created tables are automatically encrypted. Enable advanced settings

Encrypt and decrypt tables


If you turn on Advanced Settings, created tables are automatically encrypted and you do not need to manually encrypt the created tables. For existing tables, you need to perform specific operations to encrypt data.

To encrypt or decrypt tables after you enable TDE, you must log on to the database and execute the relevant DDL statements. The following table lists the DDL statements that are executed to encrypt and decrypt tables in the PolarDB for MySQL cluster of different MySQL versions.


PolarDB for MySQL 5.6

PolarDB for MySQL 5.7 and PolarDB for MySQL 8.0


alter table <tablename> block_format=encrypted;
alter table <tablename> encryption= 'Y';


alter table <tablename> block_format=default;
alter table <tablename> encryption= 'N';

When you execute the preceding alter table statements to encrypt or decrypt a table, the table is locked.