To meet security and compliance requirements for data-at-rest encryption, we recommend using Transparent Data Encryption (TDE) to encrypt and decrypt data files in real time. It encrypts data at the database layer, preventing attackers from bypassing the database to read sensitive information directly from storage.
Overview
Introduction: After you enable TDE, data is encrypted before being written to disk and decrypted when read into memory. Authenticated applications and users can access data transparently, with no changes required to application code or configurations. However, unauthorized users, including OS users, cannot read sensitive data in plaintext from tablespace files, disks, or backup files.
Keys: Key Management Service (KMS) generates and manages the keys used for TDE. RDS does not provide the keys or certificates required for encryption. Use a key automatically generated by Alibaba Cloud or authorize RDS to use your own CMKs.
Encryption algorithms: After you enable TDE, the encryption algorithms vary by the database engine version, as shown in the following table.
Database engine version | Supported encryption algorithms | How to modify the algorithm |
MySQL 5.6 |
| The algorithm cannot be modified. |
MySQL 5.7, 8.0 |
| Modify the algorithm using the |
Modifying the innodb_encrypt_algorithm parameter is a high-risk operation. It affects the encryption and decryption algorithm for all encrypted data within the instance, including encrypted tables and logs. Setting this parameter to an algorithm different from the one used for encryption will cause decryption to fail. The innodb_encrypt_algorithm parameter is not visible in the console. To modify this parameter, submit a ticket.
Prerequisites
To use TDE, your instance must meet the following conditions:
Database engine version: MySQL 8.0, 5.7, or 5.6 with a minor engine version of 20191015 or later.
Edition: High-availability Edition or Cluster Edition.
Key Management Service (KMS) is activated. If you have not activated KMS, you will be guided to activate it when you enable TDE.
Use your Alibaba Cloud account to authorize RDS to access KMS.
Usage notes
After TDE is enabled, it cannot be disabled. The key cannot be changed, and CPU usage will increase significantly.
Instance switchover: Enabling TDE restarts the instance and causes a switchover. The instance is unavailable for about 30 seconds. We recommend that you perform this operation during off-peak hours and ensure your application has an automatic reconnection mechanism.
No application changes: Enabling TDE does not increase the size of data files. You can use TDE without modifying your application code or configuration.
Data restoration limitations: After TDE is enabled, cross-region restoration is not supported. To restore data to a local machine, you must first decrypt the data.
Configuration change limitations: After TDE is enabled, you cannot change the instance edition from High-availability Edition to Cluster Edition.
CMK limitations: When using an existing CMK, note the following:
CMKs must be symmetric keys. Asymmetric keys are not supported.
If the KMS instance becomes unavailable (for example, it expires or is deleted), the key is disabled, a deletion is scheduled for the key, or the key material is deleted, the key becomes unusable, making the data on your ApsaraDB RDS instance unrecoverable.
If you revoke the authorization and then restart the RDS instance, the instance will become unavailable.
Minor engine version upgrade: To ensure instance stability, we recommend that you update the minor engine version of your primary instance and any read-only instances to the latest version.
Enable TDE
You can enable TDE using a key that is automatically generated by Alibaba Cloud or your own CMK. To do so, use your Alibaba Cloud account or an account with the AliyunSTSAssumeRoleAccess permission.
Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.
In the navigation pane on the left, click Data Security and then select the TDE tab.
In the section, enable TDE Status.
Select a key type:
Use Automatically Generated Key: This option uses a Service Key from KMS.
Use Existing Custom Key: Select an existing CMK. Only symmetric keys are supported.
NoteIf no key is available, click go to the KMS console to create a key and import your own key material. When creating the key, select Symmetric Key for the Encryption Key Type.
Click OK.
Encrypt and decrypt data with TDE
Encrypt data
Log on to your database and run the following command to encrypt a table.
After you enable TDE, existing tables are not automatically encrypted. You must manually run the following command for each table that you want to encrypt.
MySQL 5.6
ALTER TABLE <tablename> engine=innodb,block_format=encrypted;MySQL 5.7 or 8.0
ALTER TABLE <tablename> encryption='Y';
Decrypt data
Log on to your database and run the following command to decrypt a table.
MySQL 5.6
ALTER TABLE <tablename> engine=innodb,block_format=default;MySQL 5.7 or 8.0
ALTER TABLE <tablename> encryption='N';
FAQ
Q1: Can I still connect to my ApsaraDB for MySQL instance with tools like Navicat after enabling TDE?
A: Yes. TDE operates transparently for authenticated connections. Database tools like Navicat connect as authorized users, so the data is automatically decrypted in memory when you access it. No changes are needed for your client tools.
Q2: How do I migrate data from a TDE-enabled ApsaraDB for MySQL instance to another RDS instance?
A: You can migrate data using standard methods without any extra steps. Data migration tools connect to the source database as an authenticated user, reading the data after it has been transparently decrypted by the database engine. The migration process is the same as for an unencrypted instance.
Q3: Why does my data appear in plaintext when I query a TDE-encrypted table?
A: This is the expected behavior of TDE. TDE protects data at rest (on disk), not data in use (in memory).
When an authorized user queries an encrypted table, the database engine automatically decrypts the data in memory before returning the results.
The actual data files on the disk and any subsequent backups remain encrypted. This prevents unauthorized access to sensitive information if someone gains access to the physical storage or backup files.
Because backups are encrypted, you cannot directly restore them to a local, unencrypted environment. To create a backup that can be restored locally, you must first decrypt the data in the source database.
References
For a comparison of different database encryption methods, see Comparison of different database encryption technologies.
To encrypt data in transit, enable SSL encryption. For more information, see Use a cloud certificate to quickly enable SSL encryption.
For more information about key-related operations, see Key Management Service.
API reference
API operation | Description |
ModifyDBInstanceTDE - Modify the TDE status of an ApsaraDB RDS instance | When you enable TDE for an RDS instance, set the TDEStatus parameter to Enabled. Configure other parameters as needed. |