All Products
Search
Document Center

ApsaraDB RDS:Configure TDE

Last Updated:Sep 04, 2024

This topic describes how to configure Transparent Data Encryption (TDE) for an ApsaraDB RDS for MySQL instance. You can use TDE to perform real-time I/O encryption and decryption on data files, perform data-at-rest encryption at the database layer to prevent attackers from bypassing databases to read sensitive information from storage. This effectively improves the security of sensitive data in databases. For more information about database encryption technologies, see Comparison of different database encryption technologies.

Background information

TDE performs data-at-rest encryption at the database layer. This prevents potential attackers from bypassing the database to read sensitive information from storage. TDE encrypts sensitive information within tablespaces, on-disk data, and backup data. TDE also automatically decrypts the information and data to plaintext for applications and users that have passed database authentication. For operating system users who want to read sensitive information within tablespaces and unauthorized users who want to read backup data and on-disk data, TDE disallows them to access the plaintext information and data.

After TDE is enabled for your RDS instance, data is encrypted before it is written to a disk and is decrypted when it is read from a disk to the memory. The size of data files in the instance does not increase. You can use TDE without the need to modify the configurations of your application.

The key that is used for TDE is created and managed by Key Management Service (KMS). ApsaraDB RDS does not provide the key or certificates that are required for encryption. You must authorize ApsaraDB RDS to access KMS. This way, you can use an automatically generated key or a custom key.

After you enable TDE, the encryption algorithms vary based on MySQL versions. The following list describes the mappings between MySQL versions and encryption algorithms:

  • MySQL 8.0 and MySQL 5.7: The AES_256_CBC and SM4_CTR encryption algorithms are supported. You can use the innodb_encrypt_algorithm parameter to specify an encryption algorithm.

  • MySQL 5.6: Only the AES_128_ECB encryption algorithm is supported. You cannot specify an encryption algorithm.

Important

The encryption algorithm that is used to encrypt all data, such as tables and logs, of your RDS instance varies based on the value of the innodb_encrypt_algorithm parameter. If the algorithm that is used for cryptographic data operations in actual scenarios is different from the value of the innodb_encrypt_algorithm parameter, the operations fail. Exercise caution when you specify the parameter. Before you change the value of the innodb_encrypt_algorithm parameter, we recommend that you decrypt all encrypted data, change the encryption algorithm, and then re-encrypt all data.

Prerequisites

  • Your RDS instance runs one of the following MySQL versions and RDS editions:

    • MySQL 8.0 (with a minor engine version of 20191015 or later) on RDS High-availability Edition with local disks

    • MySQL 5.7 (with a minor engine version of 20191015 or later) on RDS High-availability Edition with local disks

    • MySQL 5.6

    Note
  • Your Alibaba Cloud account is used to authorize ApsaraDB RDS to access Key Management Service (KMS). For more information, see Authorize an ApsaraDB RDS for MySQL instance to access KMS.

  • Key Management Service (KMS) is activated. If KMS is not activated, you can activate KMS when you enable TDE.

Usage notes

  • We recommend that you update the minor engine version of your RDS instance to the latest version to ensure the stability of the instance. If read-only RDS instances are attached to your RDS instance, we recommend that you update the minor engine versions of your RDS instance and all the read-only RDS instances to the latest version. For more information, see Update the minor engine version.

  • When TDE is enabled, the RDS instance restarts and an instance switchover occurs. To minimize the impacts, we recommend that you arrange your business before the restart of the RDS instance. Proceed with caution. For more information about the impacts of an instance switchover, see Impacts of an instance switchover.

  • After you enable TDE, you cannot disable TDE.

  • After you enable TDE, you cannot change the key that is used for TDE.

  • After you enable TDE, you must decrypt the data on your RDS instance if you want to restore the data to an on-premises database. For more information, see the "Decrypt a table" section of this topic.

  • After you enable TDE, the CPU utilization of your RDS instance significantly increases.

  • If you use an existing custom key for TDE, take note of the following information:

    • If you disable the key, configure a plan to delete the key, or delete the key material, the key becomes unavailable.

    • If your RDS instance restarts after you revoke the key, your RDS instance becomes unavailable.

    • You must use an Alibaba Cloud account or an account to which the AliyunSTSAssumeRoleAccess policy is attached.

    Note

    For more information about KMS, see What is KMS?

Use an automatically generated key to enable TDE

  1. Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.

  2. In the left-side navigation pane of the page that appears, click Data Security.

  3. On the TDE tab, turn on TDE Status.

  4. In the dialog box that appears, select Use Automatically Generated Key and click OK.

    Note

    The key encryption key (KEK) used by this method is the service key that is provided by KMS.

Use an existing custom key to enable TDE

  1. Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.

  2. In the left-side navigation pane, click Data Security.

  3. On the TDE tab, turn on TDE Status.

  4. In the dialog box that appears, select Use Existing Custom Key and click OK.

    Note

    If you do not have a custom key, you need to click go to the KMS console to create a custom key and import your own key material. For more information, see Create a CMK.

Encrypt a table

If you want to encrypt a table on an RDS instance, you must log on to the RDS instance and execute the following statements:

  • MySQL 5.6

    alter table <tablename> engine=innodb,block_format=encrypted;
  • MySQL 5.7 or MySQL 8.0

    alter table <tablename> encryption='Y';

Decrypt a table

If you want to decrypt a table on an RDS instance, you must log on to the RDS instance and execute the following statements:

  • MySQL 5.6

    alter table <tablename> engine=innodb,block_format=default;
  • MySQL 5.7 or MySQL 8.0

    alter table <tablename> encryption='N';

FAQ

  • After I enable TDE, can I use common database tools such as Navicat?

    Yes, after you enable TDE, you can use common database tools such as Navicat.

  • After I enable TDE, can I migrate data from my RDS instance to a different RDS instance?

    Yes, after you enable TDE, you can migrate data from your RDS instance to a different RDS instance.

  • After I enable TDE, why is my data still in plaintext?

    After you enable TDE, your data is stored in ciphertext. However, when the data is queried, it is decrypted and then loaded in plaintext to the memory. TDE encrypts backup files to prevent data leaks. Before you restore the data of your RDS instance from an encrypted backup file to your computer, you must decrypt the file. For more information, see Decrypt a table.

References

Related operations

Operation

Description

ModifyDBInstanceTDE

Enables TDE for an RDS instance. To enable TDE for an RDS instance, you must set the TDEStatus parameter to Enabled and configure other parameters based on your business requirements.