Transparent Data Encryption (TDE) protects your RDS instance's data files at rest using real-time I/O encryption and decryption. Unauthorized access to the underlying storage is blocked, so your data stays protected even if the physical media is compromised.
TDE cannot be disabled after it is enabled. Choose your key type carefully before proceeding.
Background information
For more information about TDE, see Principle.
Prerequisites
Before you begin, make sure you have:
An RDS instance running PostgreSQL 10 or later
An RDS instance using cloud disks
A minor engine version of 20221030 or later — see Update the minor engine version
All attached read-only instances meeting the same requirements
An Alibaba Cloud account that has authorized ApsaraDB RDS to access Key Management Service (KMS) — see Authorize ApsaraDB RDS to access KMS
KMS activated (you can activate it when enabling TDE)
Usage notes
Make sure that the minor engine versions of the primary RDS instance and the read-only RDS instance are 20221030 or later. Otherwise, TDE cannot be enabled.
After TDE is enabled, database performance may be affected in I/O-bound workload scenarios.
If TDE is enabled for the primary RDS instance, streaming replication between the primary RDS instance and its self-managed secondary instance is not supported.
Keep KMS activated and running at all times. If KMS becomes unavailable, the cloud disks of your RDS instance cannot be decrypted and the instance becomes unavailable.
If you use a custom key, be aware of the following:
Disabling or deleting the custom key prevents the RDS instance from running as expected. The affected operations include creating snapshots, restoring data from snapshots, and rebuilding a secondary RDS instance.
Restarting the RDS instance after disabling the custom key makes the instance unavailable.
You must use an Alibaba Cloud account or an account with the AliyunSTSAssumeRoleAccess policy attached.
For more information about KMS, see What is KMS?
Choose a key type
TDE uses a key encryption key (KEK) to protect your data encryption keys. Two key types are available:
| Automatically generated key | Existing custom key | |
|---|---|---|
| Key source | Service key provided by KMS | Customer master key (CMK) you upload to KMS |
| Use when | You want minimal operational overhead | You need to control key access for compliance or security policy reasons |
| Risk | No additional operational risk | Disabling or deleting the key makes the instance unavailable |
If you do not have a custom key, create one in the KMS console before enabling TDE — see Create a CMK.
Enable TDE
Go to the Instances page. In the top navigation bar, select the region where your RDS instance resides, then click the instance ID.
In the left-side navigation pane, click Data Security.
On the TDE tab, turn on TDE Status.
In the dialog box, select a key type and click OK:
Use Automatically Generated Key: uses the service key provided by KMS as the KEK.
Use Existing Custom Key: uses the CMK you uploaded to KMS. If you do not have a custom key, click go to the KMS console to create one and import your key material.
Replace a key
Go to the Instances page. In the top navigation bar, select the region where your RDS instance resides, then click the instance ID.
In the left-side navigation pane, click Data Security.
On the TDE tab, click Replace key to the right of TDE Status.
In the dialog box, select Use Automatically Generated Key or Use Existing Custom Key, then click OK.
Encrypt or decrypt tables and indexes
After TDE is enabled, you can control which tables and indexes are encrypted at the object level.
Encryption and decryption operations may cause performance loss. Select an appropriate encryption scope based on your workload.
Encrypt tables and indexes
Set a global default (PostgreSQL 13, 14, and 15 only)
Set the rds_default_table_encryption parameter to on in the ApsaraDB RDS console to encrypt all new tables and indexes by default. Changing this parameter from on to off only affects new objects — existing encrypted tables and indexes are not affected.
If the parameter is not listed in the console, update your minor engine version to the latest version and retry. See Modify the parameters of an ApsaraDB RDS for PostgreSQL instance.
Encrypt individual tables and indexes
-- Create an encrypted table
CREATE TABLE <tablename> WITH (encryption=on);
-- Encrypt an existing table
ALTER TABLE <tablename> SET (encryption=on);
-- Create an encrypted index
CREATE INDEX <indexname> ... WITH (encryption=on);
-- Encrypt an existing index
ALTER INDEX <indexname> SET (encryption=on);The following index types support encryption: B-tree, hash, SP-GiST, GIN, GiST, and BRIN.
Decrypt tables and indexes
The following statements trigger a full table or index rewrite, similar to VACUUM FULL. Run them during off-peak hours.
-- Decrypt a table
ALTER TABLE <tablename> SET (encryption=off);
-- Decrypt an index
ALTER INDEX <indexname> SET(encryption=off);View encryption status
SELECT relname, reloptions FROM pg_class WHERE relname IN ('<tablename>', '<indexname>');FAQ
Can I still use database tools like pgAdmin after enabling TDE?
Yes. Common database tools such as pgAdmin can still be used after TDE is enabled.
Can I migrate data from my RDS instance to another instance after enabling TDE?
Yes. TDE does not block data migration between RDS instances.
My data appears as plaintext after enabling TDE — is something wrong?
No. TDE encrypts data on disk (ciphertext), but decrypts it automatically when loading data into memory for queries. What you see in query results is the decrypted plaintext — this is the intended behavior. TDE encrypts backup files as well; to restore an encrypted backup to a local machine, decrypt the backup file first.
What's next
Use the rds_tde_utils extension to encrypt and decrypt multiple objects at once
SSL encryption — encrypt connections to your RDS instance
Always-confidential database — encrypt sensitive data columns so data is transmitted, computed, and stored in ciphertext
Modify the parameters of an ApsaraDB RDS for PostgreSQL instance
API reference
| Operation | Description |
|---|---|
| ModifyDBInstanceTDE | Enables TDE for an instance |