Transparent Data Encryption (TDE) encrypts data files as they are written to disk and decrypts them when loaded into memory. Enabling TDE requires no application code changes and does not increase data file size. Encryption keys are generated and managed by Key Management Service (KMS). PolarDB-X does not provide its own keys or certificates.
Prerequisites
Before you begin, ensure that you have:
-
KMS activated (if KMS is not activated, you can activate it during TDE setup)
Choose a key type
| Key type | Description | Use when |
|---|---|---|
| Use Automatically Generated Key | Alibaba Cloud generates and manages the key | You want a simple setup with no key management overhead |
| Use Existing Custom Key | You supply your own key materials via KMS | You need to control the key lifecycle for compliance or audit requirements |
Enable TDE
-
Log on to the PolarDB for Xscale console.
-
In the top navigation bar, select the region where your instance is deployed.
-
On the Instance List page, click the PolarDB-X 2.0 tab.
-
Click the ID of the instance.
-
In the left-side navigation pane, choose Configuration Management > Security Management.
-
On the TDE tab, turn on the switch next to TDE status.
-
In the Configure TDE dialog box, select a key type and click OK:
-
Use Automatically Generated Key — Alibaba Cloud generates the key automatically.
-
Use Existing Custom Key — Select an existing key from KMS.
Note If you do not have a custom key, click Create now to go to the KMS console and import key materials. For more information, see Manage CMKs. -
Encrypt a table
To encrypt an existing table, run:
ALTER TABLE <tablename> ENCRYPTION='Y';To create a new table with encryption enabled, run:
CREATE TABLE <tablename> <col definition> ENCRYPTION='Y';Decrypt a table
To remove TDE encryption from a table, run:
ALTER TABLE <tablename> ENCRYPTION='N';