All Products
Search

This Product

    ApsaraDB RDS:Use the TDE feature

    Document Center

    ApsaraDB RDS:Use the TDE feature

    Last Updated:Feb 24, 2025

    ApsaraDB RDS for PostgreSQL supports the transparent data encryption (TDE) feature. You can use TDE to encrypt and decrypt data files in real time to protect data privacy of users. This topic describes the terms, encryption principle, and decryption principle of TDE.

    Feature description

    TDE is used to perform real-time I/O encryption and decryption on data files. TDE performs data-at-rest encryption at the database layer. This prevents attackers from bypassing the database to read sensitive information from storage. TDE allows authenticated applications and users to access plaintext application data without the need to modify the application code or configurations for decryption. However, TDE prevents operating system (OS) users who attempt to read sensitive information within tablespace files and unauthorized users who attempt to read backup data and on-disk data from accessing the plaintext data.

    • Transparent: Data is automatically encrypted when the data is written to a disk and decrypted when the data is read from the disk. The encryption and decryption processes are imperceptible to users.

    • Data encryption: The service key that is provided by Key Management Service (KMS) or the custom key that you upload to KMS is used to encrypt data files.

      Note

      • The key that is used for TDE is created and managed by KMS. ApsaraDB RDS does not provide the keys or certificates that are required for encryption.

      • ApsaraDB RDS for PostgreSQL supports keys of the Aliyun_AES_256 and Aliyun_SM4 types.

    Benefits

    The TDE feature provides the following benefits:

    • Table-level encryption and index-level encryption: You can use TDE to encrypt and decrypt tables and indexes.

    • Encryption and decryption of multiple objects at a time: You can use TDE to encrypt and decrypt all indexes in a table at a time. You can also use TDE to encrypt and decrypt all tables in a database.

    • Low performance loss: If TDE is enabled, the performance is slightly affected. In normal business scenarios, the performance loss of encrypted tables is approximately 4%.

    Principle

    Terms

    • Key encryption key (KEK): You can use the service key of KMS or use a customer master key (CMK) to encrypt data encryption keys (DEKs).

    • DEK: A DEK is generated by a database to encrypt and decrypt data.

    Process

    All encryption and decryption operations are performed in the memory. The data in the memory is plaintext and the data in the disk is ciphertext. This helps prevent data leaks if the disk is stolen. You do not need to change the usage mode of the database.

    When the database starts, the KEK is obtained from KMS to decrypt the DEK. The decrypted DEK is stored in the memory and used to encrypt or decrypt data when data is written or read.

    image