All Products
Search

This Product

    ApsaraDB RDS:Enable the fully encrypted database feature

    Document Center

    ApsaraDB RDS:Enable the fully encrypted database feature

    Last Updated:Dec 27, 2023

    The fully encrypted database feature is integrated with ApsaraDB RDS for PostgreSQL by default. However, you must complete some configurations before you use the feature. This topic describes how to enable the fully encrypted database feature.

    Procedure

    1. Create an ApsaraDB RDS for PostgreSQL instance and purchase an instance type that supports the fully encrypted database feature for the RDS instance. For more information, see Create an ApsaraDB RDS for PostgreSQL instance and Instance types for primary ApsaraDB RDS for PostgreSQL instances. The following mappings between fully encrypted databases and instance types must be met:

      • Fully encrypted database (hardware-enhanced edition): RDS instances that use Intel SGX-based security-enhanced instance types

        Intel SGX-based security-enhanced instance types

        The following table describes the regions in which Intel SGX-based security-enhanced instance types are available for purchase.

        Region

        Zone

        China (Hangzhou)

        Beijing Zone K

        China (Shanghai)

        Shanghai Zone B and Shanghai Zone L

        China (Beijing)

        Beijing Zone I and Beijing Zone K

        China (Hong Kong)

        Hong Kong Zone B and Hong Kong Zone D

        Edition

        Instance family

        Instance type

        Number of CPU cores and memory capacity

        Encrypted memory

        Maximum number of connections

        Maximum IOPS

        Storage capacity

        RDS High-availability Edition

        Intel SGX-based security-enhanced instance type

        pg.x4t.medium.2c

        2 cores, 8 GB

        4 GB

        400

        For more information, see Primary ApsaraDB RDS instance types.

        • PL1 ESSD: 20 GB to 32,000 GB

        • PL2 ESSD: 500 GB to 32,000 GB

        • PL3 ESSD: 1,500 GB to 32,000 GB

        pg.x4t.large.2c

        4 cores, 16 GB

        8 GB

        800

        pg.x4t.xlarge.2c

        8 cores, 32 GB

        16 GB

        1,600

        pg.x4t.2xlarge.2c

        16 cores, 64 GB

        32 GB

        3,200

        pg.x4t.4xlarge.2c

        32 cores, 128 GB

        64 GB

        6,400

      • Fully encrypted database (basic edition): RDS instances that use other instance types

        Note

        • The minor engine version of the RDS instance must be 20230830 or later.

        • Serverless RDS instances are not supported.

        • Economy RDS instances are not supported.

    1. Create a privileged account that has the extension installation permissions for the RDS instance. For more information, see Create an account.

    2. Create a database on the RDS instance. For more information, see Create a database.

    3. After the database is connected by using the privileged account, execute the following SQL statement to install the extension that provides the fully encrypted database feature and enable the feature:

      Note

      For more information about how to connect to an RDS instance, see Connect to an ApsaraDB RDS for PostgreSQL instance. 

      -- Install the EncDB extension.
CREATE EXTENSION encdb;

    What to do next

    Before you use the fully encrypted database feature, you must define sensitive data based on your business requirements. For more information, see Define sensitive data.