ApsaraDB RDS provides four layers of encryption to protect data in transit, at rest, on disk, and at the column level. Each layer targets a distinct threat and can be combined to meet your security and compliance requirements.
| Encryption layer | What it protects | Supported databases | Default state |
|---|---|---|---|
| SSL | Data in transit between client and instance | MySQL, SQL Server, PostgreSQL | Disabled — must be enabled manually |
| TDE | Data files and backups at rest | MySQL, PostgreSQL, SQL Server | Disabled — must be enabled manually |
| Cloud disk encryption | All data on disk at the block-storage level | Instances using cloud disks | Disabled — must be enabled manually |
| Always-confidential database | Sensitive columns during transmission, computation, and storage | PostgreSQL | Disabled — must be enabled manually |
SSL
SSL protects against man-in-the-middle attacks by encrypting the connection between your application and your RDS instance. Each RDS instance includes a server Secure Sockets Layer (SSL) certificate that lets you verify the database endpoint belongs to your instance rather than an impostor.
SSL encryption takes effect only after you enable server authentication in your application. Because SSL adds cryptographic processing overhead, it increases CPU usage and reduces instance throughput. The performance impact depends on the number of concurrent connections and the frequency of data transmission.
For setup instructions, see Configure SSL encryption for an ApsaraDB RDS instance.
TDE
Transparent Data Encryption (TDE) protects against unauthorized access to stolen or exposed data files and backups. It encrypts data before writing it to storage, so even if a disk or backup file is obtained outside the database service, the data remains unreadable without the encryption key.
After enabling TDE, specify the databases or tables to encrypt. All data files and backup files for those databases or tables are stored as ciphertext on every storage medium — disk, SSD, Peripheral Component Interconnect Express (PCIe) card, and Object Storage Service (OSS).
How encryption keys work: TDE uses the Advanced Encryption Standard (AES) algorithm. The key for TDE is encrypted and stored by Key Management Service (KMS). The RDS instance loads the key once at startup or during migration. To rotate the key, replace it in the KMS console.
TDE for MySQL and PostgreSQL is developed by Alibaba Cloud. TDE for SQL Server is based on SQL Server Enterprise Edition.
Limitations:
TDE can only be enabled on databases or tables you specify — it does not encrypt the entire instance by default.
For setup instructions, see Set TDE for an RDS MySQL instance. For performance benchmarks, see the TDE test report.
Cloud disk encryption
Cloud disk encryption protects against data exposure if a physical disk is accessed outside the database service. It encrypts all data at the block-storage level, so data remains unreadable even if the underlying storage media is removed or compromised.
This feature is available at no additional cost for RDS instances that use cloud disks. Encryption is applied transparently — no application changes are required and workloads are not interrupted.
Limitations:
Available only for instances that use cloud disks.
For setup instructions, see Configure the disk encryption feature for an ApsaraDB RDS for MySQL instance.
Always-confidential database
The always-confidential database feature protects sensitive columns from exposure during their entire lifecycle — data remains encrypted during transmission, computation, and storage. Even database operations run against the encrypted data without exposing plaintext to the database engine.
This feature is available for ApsaraDB RDS for PostgreSQL. The operations supported depend on the instance type:
| Instance type | Protection mechanism | Supported operations |
|---|---|---|
| Intel Software Guard Extensions (SGX)-based security-enhanced instance | Trusted Execution Environment (TEE) provided by Intel SGX | All database operations, including comparisons and computations inside the TEE |
| Other instance types | Cryptographic techniques | A subset of database operations |
For a list of available instance types, see Instance types for primary ApsaraDB RDS for PostgreSQL instances.