All Products
Search

This Product

    ApsaraDB RDS:Use backup encryption

    Document Center

    ApsaraDB RDS:Use backup encryption

    Last Updated:Mar 30, 2026

    Backup encryption protects your ApsaraDB RDS for MySQL backup files at rest. Encryption is handled by the Percona XtraBackup utility — no application changes required. When you restore data in the ApsaraDB RDS console, the backend decrypts the backup automatically. If you download a backup file to a self-managed environment, decrypt it manually before restoring.

    Prerequisites

    Before you begin, make sure you have:

    • An RDS instance running MySQL 8.0, MySQL 5.7, or MySQL 5.6

    • An RDS instance using High-availability Edition

    • An RDS instance using Premium Local SSDs

    • Key Management Service (KMS) activated. For details, see Purchase a dedicated KMS instance

    How it works

    KMS creates and manages the encryption key. ApsaraDB RDS does not provide keys or certificates. When you enable backup encryption, you choose one of two key types:

    Key type Description When to use
    Automatically generated key Alibaba Cloud generates and manages the key. Default choice for most use cases.
    Custom key (CMK) A key you create and control in KMS. Use when your organization requires full control over the key lifecycle — including rotation schedules, access policies, and the ability to revoke access by disabling the key. Required for compliance scenarios involving key custodian separation.

    To use a custom key, ApsaraDB RDS creates a service-linked role (backupencryption.rds.aliyuncs.com) to retrieve key metadata from KMS. The console then displays available custom keys and their encryption details.

    Limitations

    • Backup encryption cannot be disabled after it is enabled.

    • The encryption key cannot be changed after it is selected.

    • Only backup files created after enabling the feature are encrypted. Existing backup files remain unencrypted.

    • If a custom key becomes unavailable (disabled, scheduled for deletion, or its key material deleted), any operation that depends on a backup encrypted with that key fails. This includes data restoration and O&M operations, which may reduce instance availability.

    Required permissions for custom keys

    If you use a custom key, your Alibaba Cloud account or RAM user must have the following permissions:

    {
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "ram:CreateServiceLinkedRole"
            ],
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "backupencryption.rds.aliyuncs.com"
                }
            }
        },
        {
            "Action": [
                "kms:ListResourceTags",
                "kms:TagResource"
            ],
            "Effect": "Allow",
            "Resource": [
                "acs:kms:*:*:*"
            ]
        }
    ]
}

    To grant these permissions to a RAM user, see Authorize a RAM user to manage ApsaraDB RDS instances.

    Enable backup encryption

    1. Go to the Instances page. In the top navigation bar, select the region where your RDS instance resides, then click the instance ID.

    2. In the left-side navigation pane, click Backup and Restoration.

    3. Click the Backup Strategy tab.

    4. In the Backup Encryption Settings section, click Edit and turn on Backup Encryption Status.

    5. In the Backup Set Encryption Information dialog box, select a Backup Master Key option and click OK:

      • Use Automatically Generated Key — Alibaba Cloud generates the key.

      • Use Existing Custom Key — uses a key you created in KMS. If no key exists yet, create one first. For details, see Create a CMK.

      Note If this is your first time using a custom KMS key, follow the on-screen authorization prompts to grant the required permissions.

    After the feature is enabled, all new backup files are encrypted. Restore operations in the ApsaraDB RDS console do not require manual decryption — the backend handles it automatically. For downloads to a self-managed environment, follow the steps in Decrypt backup files.

    Decrypt backup files

    This section shows how to decrypt backup files on Ubuntu 16.04.

    Prerequisites

    Before you begin, install the following tools:

    • Percona XtraBackup — install version 2.4 or version 8.0 to match your MySQL version.

    • qpress — run the following commands to install:

      wget "http://docs-aliyun.cn-hangzhou.oss.aliyun-inc.com/assets/attach/183466/cn_zh/1608011575185/qpress-11-linux-x64.tar"
tar xvf qpress-11-linux-x64.tar
chmod 775 qpress
cp qpress /usr/bin

    • Python 3

    Step 1: Get the ciphertext and encryption algorithm

    1. Go to the Instances page. Select your region and click the instance ID.

    2. In the left-side navigation pane, click Backup and Restoration.

    3. Click the Base Backups tab, then the Data Backup tab.

    4. In the Actions column of the backup set, click the 1 icon and select View Encryption Information.

    5. Note the ciphertext and encryption algorithm values — you need them in the next steps.

    Step 2: Derive the decryption password

    Call the KMS Decrypt API with CiphertextBlob set to the ciphertext from Step 1. The API returns a Plaintext value — a Base64-encoded binary string.

    plaintext

    Decode Plaintext to get the decryption password:

    1. Create a Python script:

      vi decrypt.py

    2. Press i to enter insert mode, paste the following code, then press Esc and type :wq to save:

      import base64
import binascii
plaintext = 'S14dTbl6i4Qo**********'  # Replace with the Plaintext value from the KMS API response.
password = binascii.b2a_hex(base64.b64decode(plaintext))   # Derive the decryption password.
print(str(password, 'utf-8'))   # Print the password.

    3. Run the script:

      python decrypt.py

      The password prints to the screen. Example:

      4b5e1d4db97a********************

    Step 3: Download and decrypt the backup data

    1. Download the backup file to your local machine. For details, see Restore the data of an ApsaraDB RDS for MySQL instance from a physical backup file to a self-managed MySQL database.

    2. Create a directory to store the backup data:

      mkdir /home/mysql/data

    3. Decompress the backup package. The command depends on the file extension:

      File type Decompression command
      .tar.gz tar -izxvf test1.tar.gz -C /home/mysql/data
      .xb.gz gzip -d -c test1.xb.gz | xbstream -x -v -C /home/mysql/data
      _qp.xb See commands below
      _xb.qp qpress -do test1_xb.qp | xbstream -x -v -C /home/mysql/data

      For _qp.xb files, run the following two commands in sequence:

      # Extract the backup stream
cat test1_qp.xb | xbstream -x -v -C /home/mysql/data

# Decompress the extracted files
# For MySQL 5.6 or MySQL 5.7:
innobackupex --decompress --remove-original /home/mysql/data
# For MySQL 8.0:
xtrabackup --decompress --remove-original --target-dir=/home/mysql/data

      After decompression, all data files have the .xbcrypt suffix, indicating they are encrypted.

      数据被加密

    4. Decrypt the backup data:

      xtrabackup --decompress --remove-original --decrypt=AES256 --encrypt-key=4b5e1d4db97a******************** --target-dir=/home/mysql/data

      Replace the parameter values with your own:

      Parameter Description
      --decrypt The encryption algorithm from Step 1. In this example: AES256.
      --encrypt-key The password derived in Step 2.
      --target-dir The directory where the backup files are stored.

      After the command completes, the .xbcrypt suffix disappears and the files are decrypted.

      数据解密成功

    What's next