RDS for MySQL disk encryption - ApsaraDB RDS - Alibaba Cloud Documentation Center

To enhance the security of your data at rest, you can enable the disk encryption feature at no additional cost. This feature encrypts the entire data disk, ensuring your data cannot be decrypted even if the physical storage or backups are compromised. Enabling disk encryption requires no changes to your application code and has a minimal impact on instance performance. The snapshots created from the encrypted data are also encrypted.

Overview

How it works

Disk encryption uses the industry-standard AES-256 algorithm to encrypt the entire data disk at rest. When enabled, data is automatically encrypted before it is written to the disk and is stored as ciphertext. This makes the data unreadable even if the storage or backups are compromised. Data is automatically decrypted when read by an authorized user. This decryption process is transparent to your applications, requiring no code changes. For more details on the encryption principles, see Encrypt cloud disks.

Encryption keys

The encryption keys required for disk encryption are provided by Key Management Service (KMS). You can use several types of keys from KMS to encrypt your cloud disks, including default keys (service keys and Customer Master Keys), software-protected keys, and hardware-protected keys. The differences between these key types are outlined below:

Key type		Encryption algorithm	Cost	Creator	Key material source	Description
Default key	Service key	AES_256	Free	Created and managed by the corresponding Alibaba Cloud service		Cannot be deleted or disabled. Each user is limited to one service key for ApsaraDB RDS (RDS) in the same region.
Default key	Customer Master Key (CMK)	AES_256	Free	You	Generated by KMS or imported by you	You can manage its lifecycle. Each user is limited to one CMK in the same region.
Software-protected keys and hardware-protected keys		Multiple algorithms	Charged	You	Generated by KMS or imported by you	You can manage their lifecycles and create multiple keys.

If your business does not require key isolation between instances and you want to minimize costs, choose a default key (a service key or a CMK). These keys are free but have quantity limits. Each user is limited to one CMK and one service key for RDS in the same region.
If you need to encrypt different RDS instances with different keys or require advanced features like credentials management or digital signatures, purchase a software or hardware key instance and create the corresponding keys. For more information, see Instance selection.

Prerequisites

You cannot manually enable disk encryption for RDS for MySQL read-only instances.
To enable disk encryption for an RDS for MySQL primary instance, the instance must meet the following conditions:
- The instance uses ESSDs, Premium ESSDs, or Standard SSDs.
- The instance does not have read-only instances created. Otherwise, you must first release the read-only instances before you can enable disk encryption. After disk encryption is enabled for a primary instance, new read-only instances created for this primary instance will have disk encryption enabled by default.
You must use your Alibaba Cloud account to grant RDS the permissions to access KMS.

Billing

The disk encryption feature is free of charge. After enabling it, you are not charged additional fees for disk read or write operations.
The encryption keys are managed by KMS. Using default keys (service keys and CMKs) is free. KMS charges for using software-protected keys and hardware-protected keys.

Limitations

Once enabled, disk encryption cannot be disabled.
Service interruption: Enabling disk encryption for an existing instance or changing the encryption key causes a brief service interruption of about 30 seconds. Ensure your application can automatically reconnect to the instance.
Backup and recovery: After disk encryption is enabled, the instance does not support the following backup features: backup within seconds, cross-region backup, and backup download. Snapshot backups of the instance and other instances created from them are automatically encrypted.
Keys: The instance type limits the KMS keys you can choose. Overdue payments for KMS, or disabling or deleting a key, can affect encrypted instance.
- Key selection: General-purpose instance types support only service keys. Dedicated instance types can use service keys or other user-managed keys.
- Impact of overdue KMS payments: If you use a paid key type (such as a software-protected or hardware-protected key), overdue payments for KMS will prevent disk decryption, making the entire instance unavailable. Ensure you renew your KMS instance on time.
- Impact of disabling or deleting a key: For keys with a manageable lifecycle (such as CMKs, software-protected keys, and hardware-protected keys), disabling or deleting the key will lock the associated RDS instance. The instance will become inaccessible and will not function correctly. All O&M operations (such as backups, configuration changes, restarts, and primary/secondary switchovers) will fail.

Enable disk encryption

Enable disk encryption when creating an instance

Go to the RDS for MySQL buy page. In the top navigation bar, select the Standard Creation tab.
Select ESSD or Premium ESSD for Storage Type and then select Cloud Disk Encryption.
Select an encryption key.
- To use a service key (free of charge), you can select Default Service CMK regardless of whether you have created a service key in the current region.
- To use an existing CMK (free of charge), software-protected key (chargeable), or hardware-protect key (chargeable), select the key from the drop-down list. If the key does not exist, you can click create now to create a key in the KMS console.
  Note
  - If you do not have a service key in the current region, selecting Default Service CMK automatically creates a service key with the alias alias/acs/rds.
  - If a service key already exists, selecting Default Service CMK does not create a new one. Instead, the existing service key with the alias alias/acs/rds is used for encryption by default. Each service has only one service key per region.
Configure other parameters as needed. After the payment is complete, go to the Instances page. Click the ID of the target instance. In the Basic Information section, check for the encryption key information. The presence of this information confirms that disk encryption is enabled.

Enable disk encryption for an existing instance

Important

Enabling disk encryption for an existing instance causes a brief service interruption of about 30 seconds. Make sure your application can automatically reconnect to the instance.

Go to the Instances page of the RDS console. Select the region of the instance in the top navigation bar. Then, click the ID of the instance.
In the left-side navigation pane, click Data Security.
On the page that appears, click the Data Encryption tab. Then, click Enable Cloud Disk Encryption.
In the dialog box that appears, select the encryption key and click OK. The status of the instance changes to Modifying Parameters.
Wait until the instance status changes to Running and the encryption information is displayed on the Data Encryption tab.

Change the encryption key

If disk encryption is enabled for a dedicated RDS for MySQL instance, you can perform the following steps to change the key used for disk encryption. General-purpose instances can only use the service key and do not support key replacement.