To meet security and compliance requirements, you can use the transparent data encryption (TDE) feature. TDE performs real-time I/O encryption and decryption on data files at the storage layer. Data is encrypted before it is written to disk and decrypted when it is read from the disk into memory. This process is transparent to applications, which lets you encrypt your data without modifying your application code.
Introduction
The TDE feature of PolarDB is based on the Advanced Encryption Standard (AES) algorithm with a key length of 256 bits, which ensures strong data security.
The key management for TDE relies on Alibaba Cloud Key Management Service (KMS). You can choose one of the following two methods to manage keys:
Service key: This key is automatically created and managed by Alibaba Cloud. This method is convenient and requires no additional configuration.
Custom key: You can create your own key in KMS and grant PolarDB permission to use it. This method gives you full control over the key and its lifecycle, such as key rotation, disabling, and deletion, to meet stringent compliance requirements.
Prerequisites
Your PolarDB for MySQL cluster must meet the following requirements for the minor engine version:
Product series
Database engine
Minor engine version
Cluster Edition
MySQL 5.6
5.6.1.0.21 or later.
MySQL 5.7
5.7.1.0.3 or later.
MySQL 8.0.1, MySQL 8.0.2
NoteTDE cannot be enabled for serverless clusters that run MySQL 8.0.2.
8.0.1.1.1 or later.
Standard Edition
MySQL 5.7
5.7.1.0.3 or later.
MySQL 8.0.1, MySQL 8.0.2
8.0.1.1.1 or later.
If you plan to use a custom key, you must also meet the following conditions:
You have activated Alibaba Cloud Key Management Service (KMS).
You have authorized PolarDB to access KMS.
You must use an Alibaba Cloud account or a Resource Access Management (RAM) user that has the
AliyunSTSAssumeRoleAccesspermission to perform this operation.
Billing description
Storage fees: TDE does not increase the size of data files and does not incur additional storage fees.
Key fees:
Using a service key: No fees are charged.
Using a custom key: No fees are charged for PolarDB, but you will incur key-related fees for Key Management Service (KMS).
Precautions
Impact on the source cluster:
This feature cannot be disabled after it is enabled. Before you enable this feature, carefully evaluate your business requirements and the potential impacts.
Enabling TDE causes the cluster to restart, which interrupts your services. We recommend that you perform this operation during off-peak hours.
In I/O-intensive (IO-bound) scenarios, enabling TDE may slightly affect database performance.
Custom key: When you use a custom key, the availability of the key directly affects the availability of the cluster.
Operations such as disabling the key, scheduling key deletion, or deleting key material in KMS will make the key unavailable.
If you revoke the authorization for PolarDB to access KMS, the cluster becomes unavailable after it is restarted.
Global database network (GDN): TDE can be enabled for clusters in a global database network (GDN).
After TDE is enabled on the primary cluster, it is automatically and synchronously enabled on all secondary clusters. All clusters in the GDN use the same key, which resides in the same region as the primary cluster. The region of the key cannot be modified.
You cannot enable TDE for a secondary cluster in a GDN separately.
Operation guide
Step 1: Enable TDE encryption for the cluster
Enabling TDE causes the cluster to restart. This feature cannot be disabled after it is enabled. Proceed with caution.
Log on to the PolarDB console. In the navigation pane on the left, click . On the TDE Settings tab, turn on the TDE Status switch.
In the dialog box that appears, select a key type:
Select Service Key (Automatically Generated by Alibaba Cloud) and click OK. No additional configuration is required.
Select Use Existing Custom Key. Select a key that you created in KMS from the drop-down list and click OK. If no keys are available, go to the KMS console to create a key.
NoteCurrently, TDE supports the
Aliyun_AES_256andAliyun_SM4encryption algorithms. When you create a KMS key, make sure to select a supported encryption algorithm.
Enabling TDE takes about 10 minutes. During this time, the cluster restarts.
Step 2: (Optional) Automatically enable encryption for new tables
If you want all new tables created in the cluster to be automatically encrypted, you can enable the Advanced Settings switch when you enable TDE.
Scenarios: This feature is suitable for businesses that have strict data security requirements and want to encrypt all newly generated data by default.
Version requirements:
PolarDB for MySQL 8.0 clusters with a minor engine version of 8.0.1.1.15 or later.
PolarDB for MySQL 5.7 clusters with a minor engine version of 5.7.1.0.35 or later.
Step 3: Encrypt and decrypt existing tables
After you enable TDE for a cluster, existing tables are not automatically encrypted. You must manually encrypt or decrypt existing tables by running the ALTER TABLE command.
If you enabled Advanced Settings, new tables are automatically encrypted. You do not need to perform this operation on new tables.
The table is locked and cannot be read from or written to while the
ALTER TABLEcommand is running.
Database version | Command to encrypt a table | Command to decrypt a table |
MySQL 5.6 |
|
|
MySQL 5.7, MySQL 8.0 |
|
|
Step 4: Verify whether a table is encrypted
You can run the SHOW CREATE TABLE <table_name>; command to check the encryption status of a table.
For PolarDB for MySQL 5.7 and PolarDB for MySQL 8.0, the table is encrypted if the output contains
ENCRYPTION='Y'.For PolarDB for MySQL 5.6, the table is encrypted if the output contains
BLOCK_FORMAT=ENCRYPTED.
FAQ
Related topics
Related APIs
API | Description |
Queries the details of TDE settings for a PolarDB cluster. | |
Queries the list of custom keys for a PolarDB cluster. | |
Checks whether a KMS key already exists. | |
Enables the TDE feature for a PolarDB cluster. |