All Products
Search

This Product

    ApsaraDB RDS:Use the cloud disk encryption feature

    Document Center

    ApsaraDB RDS:Use the cloud disk encryption feature

    Last Updated:Mar 28, 2026

    Cloud disk encryption protects data at rest on your ApsaraDB RDS for PostgreSQL instance — at no extra cost, with no changes to your application.

    When you enable cloud disk encryption, all data written to the encrypted cloud disk is automatically encrypted. Snapshots of the disk are encrypted using the same key, and any new instance created from an encrypted snapshot also has encryption enabled automatically.

    Prerequisites

    Before you begin, make sure that:

    • Your RDS instance runs RDS Basic Edition, RDS High-availability Edition, or RDS Cluster Edition, and uses Enterprise SSDs (ESSDs) or Premium ESSDs

    • Key Management Service (KMS) is activated — see Purchase and enable a KMS instance

    Note

    Cloud disk encryption is not supported for serverless RDS instances.

    Choose a key type

    Before enabling encryption, decide which key type to use. The key type available to you depends on your instance type.

    Instance typeSupported key types
    General-purposeService key (managed by ApsaraDB RDS) only
    DedicatedService key or customer master key (CMK)

    Service key (recommended)

    The service key is automatically generated by Alibaba Cloud and managed by ApsaraDB RDS. Its alias in KMS is alias/acs/rds, and the key specification is Aliyun_AES_256. Key rotation is disabled by default. To enable it, purchase the key rotation feature in the KMS console. See Configure key rotation.

    Customer master key (CMK)

    A CMK is a key you create and manage in KMS. Only dedicated instances support CMK-based encryption.

    Important

    If you disable or delete the KMS key used for encryption, your RDS instance is locked immediately and cannot be accessed. You also cannot perform any O&M operations — including backups, specification changes, cloning, restarts, high-availability switchovers, or parameter modifications. To avoid this risk, use the service key.

    Enable cloud disk encryption

    Enable encryption for a new instance

    During instance creation, next to Storage Type, select Cloud Disk Encryption, then choose a key. The default selection is Default Service CMK. When you select Default Service CMK, the system automatically creates a service key.

    For the full creation procedure, see Create an ApsaraDB RDS for PostgreSQL instance.

    Enable encryption for an existing instance

    1. Go to the Instances page. In the top navigation bar, select the region where your instance resides, then click the instance ID.

    2. In the left navigation pane, click Data Security.

    3. On the Data Encryption tab, click Enable Encryption.

    4. In the dialog box, select a key and click OK. We recommend that you select Use Automatically Generated Key, which specifies the service key automatically generated by Alibaba Cloud and managed by ApsaraDB RDS.

    The instance restarts and a transient connection occurs. After the instance status changes to Running, encryption is enabled.

    Note

    Make sure your application is configured to automatically reconnect to the instance.

    Verify encryption status

    After enabling encryption, confirm it is active:

    1. Go to the Basic Information page of the instance, or click Data Security in the left navigation pane and open the Data Encryption tab.

    2. Check that the encryption key is displayed.

    To view all KMS keys in the current account, open the KMS console, click Keys in the left navigation pane, and select the Default Key tab. Keys with Service Key in the Key Usage column are managed by Alibaba Cloud services.

    Change the encryption key

    1. Go to the Instances page. Select the region and click the instance ID.

    2. In the left navigation pane, click Data Security.

    3. On the Data Encryption tab, click Replace Key.

    4. In the dialog box, select a new key and click OK.

    The instance restarts and a transient connection occurs.

    Disable cloud disk encryption

    1. Go to the Instances page. Select the region and click the instance ID.

    2. In the left navigation pane, click Data Security.

    3. On the Data Encryption tab, click Replace Key.

    4. In the dialog box, select Disable Key and click OK.

    The instance restarts and a transient connection occurs.

    Limitations

    • Cloud disk encryption is not supported for serverless RDS instances.

    • General-purpose instances can only use the service key managed by ApsaraDB RDS. CMK-based encryption requires a dedicated instance.

    • Enabling, disabling, or changing the encryption key always restarts the instance and causes a transient connection.

    • If your KMS instance becomes overdue, the cloud disks cannot be decrypted. Keep your KMS instance in a normal state.

    • Encryption and decryption are transparent — read/write operations on encrypted disks are not charged separately.

    • Snapshots of an encrypted instance are automatically encrypted with the same key.

    • When you create an instance from an encrypted snapshot using cloud disks, cloud disk encryption is automatically enabled on the new instance.

    API reference

    Call ModifyDBInstanceConfig to enable, replace, or disable cloud disk encryption programmatically.

    What's next