PolarDB for PostgreSQL provides transparent data encryption (TDE). TDE performs real-time I/O encryption and decryption of data files. Data is encrypted before it is written to disk and decrypted when it is read into memory. TDE does not increase the size of data files. You can use the TDE feature without changing any applications.
Applicability
You have activated KMS. For more information, see Purchase a dedicated KMS instance.
You have granted PolarDB access to KMS. For more information, see Authorize PolarDB to access KMS.
Your PolarDB for PostgreSQL cluster must meet the following requirements:
Minor engine version:
PostgreSQL 14 (minor engine version 2.0.14.12.23.1 or later)
PostgreSQL 16 (minor engine version 2.0.16.9.6.0 or later)
PostgreSQL 17 (minor engine version 2.0.17.6.4.0 or later)
PostgreSQL 18 (minor engine version 2.0.18.0.1.0 or later)
PolarDB for PostgreSQL distributed clusters are not supported.
You can view the minor engine version in the console or run the SHOW polardb_version; statement to check the version. If your cluster does not meet the minor engine version requirement, you must upgrade the minor engine version.
Background information
TDE performs data-at-rest encryption at the database layer. This prevents attackers from bypassing the database to read sensitive information from storage. Authenticated applications and users can transparently access application data without any changes to the application code or configuration. However, OS users who attempt to read sensitive data from tablespace files and unauthorized parties who attempt to read data from disks or backups cannot access the plaintext data.
The keys used for TDE encryption in PolarDB for PostgreSQL and are generated and managed by Key Management Service (KMS). PolarDB does not provide the keys and certificates required for encryption. You can use keys that are automatically generated by Alibaba Cloud, or you can use your own key material to generate data keys and grant PolarDB permission to use them.
Notes
The TDE feature cannot be disabled after it is enabled.
For I/O-intensive scenarios, enabling TDE may affect database performance.
Procedure
To enable TDE when you create a cluster, see Create a database cluster or . The following procedure describes how to enable the TDE feature for an existing PolarDB cluster.
Enabling TDE restarts the PolarDB cluster. Proceed with caution.
Log on to the PolarDB console. In the navigation pane on the left, click Clusters. Select the region where your cluster is located, and then click the cluster ID to go to the details page.
In the navigation pane on the left, choose .
On the TDE Settings tab, turn on the TDE Status switch.
In the dialog box, select Use Default Key CMK or Use Existing Custom Key.
If you select Use Default Key CMK, click OK to enable TDE.
If you select Use Existing Custom Key, select a Key Management Service (KMS) key from the drop-down list and then click OK to enable TDE.
The only supported key type is Aliyun_AES_256.
When you use an existing custom key, the following conditions must be met:
You must use an Alibaba Cloud account or an account that has the AliyunSTSAssumeRoleAccess permission.
Disabling the key, scheduling the key for deletion, or deleting the key material makes the key unavailable.
If you revoke the authorization and then restart the PolarDB cluster, the cluster becomes unavailable.
If you do not have a custom key, click Create Now to go to the KMS console, where you can create a key and import your key material. For more information, see Create a key.
Enabling TDE takes about 10 minutes.
View the TDE status
Log on to the PolarDB console. In the navigation pane on the left, click Clusters. Select the region where your cluster is located, and then click the cluster ID to go to the details page.
In the navigation pane on the left, choose .
On the TDE Settings tab, view the TDE Status switch.
Switch to a custom key
Log on to the PolarDB console. In the navigation pane on the left, click Clusters. Select the region where your cluster is located, and then click the cluster ID to go to the details page.
In the navigation pane on the left, choose .
On the TDE Settings tab, click the TDE Status switch.
In the dialog box, select Use Existing Custom Key, select a Key Management Service (KMS) key from the drop-down list, and then click OK.
NoteFor more information about using a custom key, see the notes in the Procedure section.
Advanced options
Automatic TDE key rotation is supported only when you use an existing custom key.
PolarDB does not update the master key version of a custom key. You can manually update the key version or change the key rotation policy. For more information, see Key rotation.
After PolarDB detects that the master key version of a custom key is updated, it rotates the TDE key during the next maintenance time window. The PolarDB cluster restarts during this process.
You can enable automatic TDE key rotation in one of the following two ways:
When you enable TDE with a custom key, you can enable Automatic TDE Key Rotation under Advanced Settings in the Configure TDE dialog box.
After enabling TDE with a custom key, on the Configure TDE tab, turn on Automatic TDE Key Rotation under Advanced Settings.
FAQ
Can I still use common database tools, such as Navicat, after I enable TDE?
A: Yes, you can.
Why does the data appear in plaintext when I view it after I enable encryption?
A: When you query data, the data is decrypted and read into memory. Therefore, it is displayed in plaintext. Data at rest is encrypted after you enable TDE.
Related API operations
API | Description |
Enables the TDE feature for a PolarDB cluster or modifies the encryption method. | |
Queries the TDE settings of a PolarDB cluster. | |
Creates a PolarDB cluster and enables transparent data encryption (TDE). Note The DBType parameter must be set to PostgreSQL or . |