Transparent Data Encryption (TDE) encrypts your database files at the storage layer in real time. Data is encrypted before being written to disk and decrypted when read into memory — your applications connect and query as usual, with no code changes required.
How TDE works
TDE uses the Advanced Encryption Standard (AES) algorithm with a 256-bit key. Encryption and decryption happen at the I/O level: the database engine handles both operations transparently.
Key management is handled through Alibaba Cloud Key Management Service (KMS). Choose between two key types before enabling TDE:
| Key type | Who manages it | Cost | Best for |
|---|---|---|---|
| Service key | Alibaba Cloud (automatic) | No charge | Simplest setup; no compliance requirements on key ownership |
| Custom key | You, via KMS | KMS key fees apply | Full control over key lifecycle (rotation, disabling, deletion); regulatory compliance |
Prerequisites
Before you begin, make sure that:
Your cluster meets the minimum minor engine version:
TDE cannot be enabled for serverless clusters running MySQL 8.0.2.
Product series Database engine Minimum minor engine version Cluster Edition MySQL 5.6 5.6.1.0.21 Cluster Edition MySQL 5.7 5.7.1.0.3 Cluster Edition MySQL 8.0.1, MySQL 8.0.2 8.0.1.1.1 Standard Edition MySQL 5.7 5.7.1.0.3 Standard Edition MySQL 8.0.1, MySQL 8.0.2 8.0.1.1.1 If you plan to use a custom key, you also need:
An active Alibaba Cloud KMS instance
PolarDB authorized to access KMS (Authorize PolarDB to access KMS)
An Alibaba Cloud account or Resource Access Management (RAM) user with the
AliyunSTSAssumeRoleAccesspermission
Billing
| Fee type | Details |
|---|---|
| Storage | TDE does not increase data file size. No additional storage fees apply. |
| Service key | No charge. |
| Custom key | No PolarDB charges. KMS key fees apply. |
Limitations
Review these limitations before enabling TDE:
Irreversible: TDE cannot be disabled after it is enabled.
Cluster restart required: Enabling TDE restarts the cluster, causing a brief service interruption (approximately 10 minutes). Schedule this during off-peak hours.
Performance impact: In I/O-intensive scenarios, encryption and decryption consume a small amount of CPU resources and may slightly affect database performance.
Serverless restriction: TDE cannot be enabled for serverless clusters running MySQL 8.0.2.
Custom key risk: If your custom key becomes unavailable, the cluster becomes unavailable at the next restart. See Custom key risk for details.
Global Database Network (GDN): Enabling TDE on the primary cluster automatically enables it on all secondary clusters. All clusters in the GDN share the same key, which resides in the primary cluster's region. You cannot enable TDE on a secondary cluster independently, and the key's region cannot be changed.
Enable TDE
Enabling TDE restarts the cluster and cannot be undone. Proceed with caution.
Log on to the PolarDB console. In the left navigation pane, click Settings and Management > Security. On the TDE Settings tab, turn on the TDE Status switch.
In the dialog box, select a key type:
Service Key (Automatically Generated by Alibaba Cloud): Click OK. No additional configuration is required.
Use Existing Custom Key: Select a key from the drop-down list and click OK. If no keys are listed, create a key in KMS first.
When creating a KMS key for TDE, select either the
Aliyun_AES_256orAliyun_SM4encryption algorithm. TDE only supports these two algorithms.
Wait for TDE to finish enabling. The process takes approximately 10 minutes and restarts the cluster.
(Optional) Auto-encrypt new tables
To encrypt all tables created after TDE is enabled, turn on the Advanced Settings switch when enabling TDE.
This setting is available on:
PolarDB for MySQL 8.0 with minor engine version 8.0.1.1.15 or later
PolarDB for MySQL 5.7 with minor engine version 5.7.1.0.35 or later
Encrypt existing tables
Enabling TDE does not automatically encrypt tables that already exist. Run ALTER TABLE to encrypt them manually.
The table is locked and cannot be read from or written to while ALTER TABLE runs.| Database version | Encrypt a table | Decrypt a table |
|---|---|---|
| MySQL 5.6 | ALTER TABLE <table_name> BLOCK_FORMAT=ENCRYPTED; | ALTER TABLE <table_name> BLOCK_FORMAT=DEFAULT; |
| MySQL 5.7, MySQL 8.0 | ALTER TABLE <table_name> ENCRYPTION = 'Y'; | ALTER TABLE <table_name> ENCRYPTION = 'N'; |
Verify encryption status
Run SHOW CREATE TABLE <table_name>; to check whether a table is encrypted.
MySQL 5.7, MySQL 8.0: The table is encrypted if the output contains
ENCRYPTION='Y'.MySQL 5.6: The table is encrypted if the output contains
BLOCK_FORMAT=ENCRYPTED.
Custom key risk
When using a custom key, the key's availability directly determines cluster availability. The cluster becomes unavailable if any of the following occur:
The key is disabled in KMS
Key deletion is scheduled in KMS
Key material is deleted in KMS
PolarDB's authorization to access KMS is revoked
FAQ
What is the impact of enabling TDE on my business?
Enabling TDE restarts the cluster, which causes a brief service interruption. Schedule the operation during off-peak hours. For I/O-intensive workloads, expect a small performance overhead from encryption and decryption operations.
What security problem does TDE solve?
TDE protects data at rest on disk. It prevents unauthorized users from reading database files directly from storage — for example, if physical media is removed or storage files are accessed outside the database engine. The protection is fully transparent to applications.
Can I require RAM users to enable TDE when creating a cluster?
Yes. Configure a RAM policy to enforce TDE enablement when RAM users create a cluster via the console or API.
What's next
API reference
| API | Description |
|---|---|
| DescribeDBClusterTDE | Query TDE settings for a PolarDB cluster |
| DescribeUserEncryptionKeyList | List custom keys for a PolarDB cluster |
| CheckKMSAuthorized | Check whether a KMS key exists |
| ModifyDBClusterTDE | Enable TDE for a PolarDB cluster |