All Products
Search

This Product

    ApsaraDB RDS:Use the cloud disk encryption feature

    Document Center

    ApsaraDB RDS:Use the cloud disk encryption feature

    Last Updated:Feb 07, 2024

    ApsaraDB RDS for MariaDB provides the cloud disk encryption feature free of charge. The feature encrypts data on each data disk of your instance based on block storage. This way, backup data cannot be decrypted even if the data is leaked. This ensures data security. If you use the cloud disk encryption feature for your RDS instance, the snapshots that are created for the RDS instance are automatically encrypted, and you do not need to modify the configuration of your application.

    Prerequisites

    • Your RDS instance is being created. The cloud disk encryption feature cannot be enabled after your RDS instance is created. For more information, see Create an ApsaraDB RDS for MariaDB instance.

    • Your RDS instance is created in standard mode.

    Billing rules

    The cloud disk encryption feature is provided free of charge. You are not charged for the read and write operations that you perform on the encrypted disks.

    Usage notes

    • You cannot disable the cloud disk encryption feature after you enable the feature.

    • The cloud disk encryption feature does not interrupt your business, and you do not need to modify your application.

    • If you enable the cloud disk encryption feature for your RDS instance, the snapshots that are created for the RDS instance are automatically encrypted. If you use the encrypted snapshots to create an RDS instance that uses cloud disks, the cloud disk encryption feature is automatically enabled for the new RDS instance.

    • If your Key Management Service (KMS) is overdue, the cloud disks of your RDS instance cannot be decrypted. Make sure that your KMS is normal. For more information, see What is KMS?

    • If you disable or delete the customer master key (CMK) that is used for disk encryption, your RDS instance cannot run as normal. For example, you cannot create snapshots, restore data from snapshots, or rebuild the secondary RDS instance of your RDS instance.

    Enable the cloud disk encryption feature for an RDS instance

    When you create an RDS instance, configure the Storage Type parameter, select Disk Encryption, and then configure the Key parameter. For more information, see Create an ApsaraDB RDS for MariaDB instance.

    Note

    • For more information about how to create a CMK, see Create a key.

    • After the RDS instance is created, you can go to the Basic Information page of the instance and view the CMK that is used for disk encryption.

    Check whether the cloud disk encryption feature is enabled for an RDS instance

    1. Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.

    2. In the Basic Information section, check whether the AccessKey Pair parameter can be found. If you can find the parameter, the cloud disk encryption feature is enabled for the RDS instance.

      image.png

    Related operations

    Operation

    Description

    CreateDBInstance

    Creates an instance.