Configure cloud disk encryption - ApsaraDB RDS - Alibaba Cloud Documentation Center

This topic describes how to configure the cloud disk encryption feature for an ApsaraDB RDS for MySQL instance that is equipped with cloud disks. The cloud disk encryption feature encrypts the data on each disk of your RDS instance by using block storage. This way, your data cannot be decrypted even if it is leaked.

For more information about how to configure the cloud disk encryption feature for RDS instances that run different database engines, see the following topics:

Configure the cloud disk encryption feature for an ApsaraDB RDS for SQL Server instance
Configure the cloud disk encryption feature for an ApsaraDB RDS for PostgreSQL instance

Prerequisites

Your RDS instance is being created. The cloud disk encryption feature cannot be enabled after your RDS instance is created. For more information, see Create an ApsaraDB RDS for MySQL instance.
The ESSD storage type is selected for your RDS instance. For more information, see Storage types.
The RDS instance runs RDS High-availability Edition or RDS Cluster Edition. For more information, see Overview of ApsaraDB RDS editions.

Billing rules

The cloud disk encryption feature is provided free of charge. You are not charged for the read and write operations that you perform on the encrypted disks.

Limits

The single-digit second backup and cross-region backup features are not supported for RDS instances for which the cloud disk encryption feature is enabled. For more information, see Use the cross-region backup feature of an ApsaraDB RDS for MySQL instance.

Usage notes

You cannot disable the cloud disk encryption feature after you enable the feature.
The cloud disk encryption feature does not interrupt your business, and you do not need to modify your application.
After you enable the cloud disk encryption feature for your RDS instance, the snapshots that are created for your RDS instance are automatically encrypted. If you use the encrypted snapshots to create an RDS instance that uses cloud disks, the cloud disk encryption feature is automatically enabled for the new RDS instance.
If your Key Management Service (KMS) is overdue, the cloud disks of your RDS instance become unavailable. Make sure that your KMS is normal. For more information, see What is KMS?
If you disable or delete the customer master key (CMK) that is used for cloud disk encryption, your RDS instance cannot run as normal. For example, you cannot create snapshots, restore data from snapshots, or rebuild the secondary RDS instance of your RDS instance.

Check whether the cloud disk encryption feature is enabled for an RDS instance

Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.
In the Basic Information section, check whether the Key parameter can be found. If you can find the parameter, the cloud disk encryption feature is enabled for the RDS instance.

Enable the cloud disk encryption feature for an RDS instance

When you create an RDS instance, set the Edition parameter to High-availability, select the ESSD storage type, select Disk Encryption, and then configure the Key parameter. For more information, see Create an ApsaraDB RDS for MySQL instance.

Note

For more information about how to create a CMK, see Create a key.

Related operations

Operation	Description
CreateDBInstance	Creates an instance.