ApsaraDB RDS:Disk encryption

Scope

• You cannot manually enable disk encryption for ApsaraDB RDS for SQL Server read-only instances or Serverless instances.

• To enable disk encryption for a primary ApsaraDB RDS for SQL Server instance, you must meet the following conditions:

  • The storage type is ESSD.

  • The instance type is Dedicated, General-purpose, or Shared. For shared instance types, you can enable disk encryption only when you create the instance.

  • The primary instance must not have any read-only instances attached. If read-only instances are attached, you must first release the read-only instances before you can enable disk encryption. After you enable disk encryption, new read-only instances that are created for the primary instance will have disk encryption enabled by default.

• After you enable disk encryption, the following limits apply:

  • You cannot disable disk encryption after it is enabled.

  • Key selection limits: Shared instances can be encrypted only with RDS-managed service keys (Default Service CMK). General-purpose and dedicated instances can be encrypted with service keys or custom keys.

  • Minor engine version upgrade limits: You cannot update the minor engine version after you enable disk encryption.

Billing

• The disk encryption feature is free of charge. This includes read and write operations on encrypted disks.

• The keys required for disk encryption are managed by Key Management Service (KMS). Default keys, such as service keys and master keys, are free of charge. Custom software-protected keys or hardware-protected keys are billed by KMS.

Usage notes

• Transient disconnections: Changing a key or enabling disk encryption for an existing instance causes a transient disconnection. The instance is unavailable for about 30 seconds for High-availability or Cluster Edition instances, and for about 5 minutes for Basic Edition instances. We recommend that you perform these operations during off-peak hours and ensure that your application has an automatic reconnection mechanism.

• Overdue payments for KMS, or disabling or deleting a key, affects instances that have disk encryption enabled:

  • Effects of overdue payments for KMS: If you use a paid key type, such as a software-protected key or a hardware-protected key, an overdue payment for KMS prevents the instance's disk from being decrypted. As a result, the entire instance becomes unavailable. Ensure that you renew your KMS instance on time.

  • Effects of disabling or deleting a key: For keys whose lifecycles you can manage, such as master keys, software-protected keys, and hardware-protected keys, disabling or deleting a key causes the RDS instance that uses the key to become locked and inaccessible. The instance cannot run as expected, and all operations and maintenance (O&M) activities, such as backups, configuration changes, restarts, and high-availability (HA) switchovers, fail.

• The RDS-managed service key (Default Service CMK) uses the Aliyun_AES_256 specification. The key rotation service is disabled by default. To enable the key rotation service, you can log on to the KMS console to purchase it.

Enable disk encryption

Enable disk encryption for a new instance

1. When you create an ApsaraDB RDS for SQL Server instance, set the storage type to ESSD.

2. Select Cloud Disk Encryption and then select the target key.

   Note

   • For more information about how to create a custom key, see Create and enable a key.

   • When you create an instance, select the Cloud Disk Encryption option before you select the instance type.

     To create a shared instance type with disk encryption enabled, set the Key parameter to Default Service CMK. Shared instance types can be encrypted only with service keys.

Enabling disk encryption for existing instances

1. Go to the Instances page. In the top navigation bar, select the region of your instance. Then, find your instance and click its ID.

2. In the navigation pane on the left, click Data Security.

3. On the Data Encryption tab, click Enable Encryption.

4. In the dialog box that appears, select the desired key and click OK. The instance state immediately changes to Configuration Changing.

5. Disk encryption is enabled when the instance state changes back to Running and the encryption information is displayed on the Data Encryption tab.

View the disk encryption status and key details

1. Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.

2. On the Basic Information page of the instance, view the disk encryption key.

   Note

   • If no key is displayed on the Basic Information page, disk encryption is not enabled for the instance.

   • You can view all keys under your current account in the KMS console.

     On the Keys > Default Keys tab, if the Key Usage is Service Key, the key is managed by an Alibaba Cloud service.

Change the key

You can change the key for an ApsaraDB RDS for SQL Server instance if disk encryption is enabled and the instance is a dedicated or general-purpose instance type. You cannot change the key for a shared instance because shared instances can use only service keys.

1. Go to the Instances page. In the top navigation bar, select the region of your instance. Then, find your instance and click its ID.

2. In the navigation pane on the left, click Data Security.

3. On the Data Encryption tab, click Replace Key.

4. In the Change Encryption Key of Data Disk dialog box, select the desired key and click OK.

Related API operations

• Enable disk encryption when you create an instance: CreateDBInstance.

• Enable disk encryption for an existing instance: ModifyDBInstanceConfig.

• Query the disk encryption status of an instance: DescribeDBInstanceEncryptionKey.