All Products
Search

This Product

    ApsaraDB RDS:Configure the cloud disk encryption feature

    Document Center

    ApsaraDB RDS:Configure the cloud disk encryption feature

    Last Updated:Jun 24, 2024

    ApsaraDB RDS for SQL Server provides the cloud disk encryption feature free of charge. You can enable this feature when you create an ApsaraDB RDS for SQL Server instance. The feature encrypts data on each data disk of your RDS instance based on block storage. Cloud disk encryption ensures the security of your data. If you enable this feature, your workloads are not affected, and you do not need to modify the code of your application.

    Prerequisites

    • The cloud disk encryption feature is enabled. The cloud disk encryption feature can be enabled for your RDS instance only when you create the RDS instance. For more information, see Create an ApsaraDB RDS for SQL Server instance.

    • Your RDS instance meets the following requirements:

      • The RDS instance uses standard SSDs, Enterprise SSDs (ESSDs), or general ESSDs. Serverless RDS instances are not supported.

      • The RDS instance belongs to the general-purpose, dedicated, or shared instance family.

        • If the RDS instance belongs to the general-purpose or dedicated instance family, you can use the default service customer master key (CMK) or a user-defined CMK to enable the cloud disk encryption feature for the RDS instance.

        • If the RDS instance belongs to the shared instance family, you can use only the default service CMK to enable the cloud disk encryption feature for the RDS instance.

    Billing rules

    The cloud disk encryption feature is provided free of charge. You do not need to pay additional fees for the read and write operations that you perform on the encrypted disks.

    Usage notes

    • If your Key Management Service (KMS) instance is overdue, the cloud disks of your RDS instance become unavailable. Make sure that your KMS instance is normal. For more information, see What is KMS?

    • If you disable or delete the KMS key that is used for cloud disk encryption, your RDS instance cannot run as expected. In this case, your RDS instance is locked and cannot be accessed. In addition, you cannot perform all O&M operations on the RDS instance. For example, you cannot perform backups, change instance specifications, clone or restart the RDS instance, perform a high-availability switchover, or modify instance parameters. To prevent these issues, we recommend that you use the default service CMK, which is a service key managed by ApsaraDB RDS.

    Limits

    If the cloud disk encryption feature is enabled for your RDS instance, you cannot upgrade the major engine version, update the minor engine version, migrate the RDS instance across zones, or perform cross-region backups on the RDS instance. For more information, see Upgrade the major engine version, Update the minor engine version, Migrate an ApsaraDB RDS for SQL Server instance across zones, and Use the cross-region backup feature.

    Enable the cloud disk encryption feature when you create an RDS instance

    1. When you create an RDS instance, select the standard SSD, ESSD, or general ESSD storage type. For more information, see Create an ApsaraDB RDS for SQL Server instance.

    2. Select Cloud Disk Encryption and specify a key.

      Note

      • For more information about how to create a key, see Purchase and enable a KMS instance.

      • You must select Cloud Disk Encryption before you configure parameters in the Instance Type section.

    image

    View the status of the cloud disk encryption feature and the key details

    1. Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.

    2. On the Basic Information page of the RDS instance, view the key of the RDS instance that uses cloud disks.

      Note

      • If the key is not displayed on the Basic Information page, the cloud disk encryption feature is disabled for the RDS instance during the instance creation.

      • The feature can be enabled for your RDS instance only when you create the RDS instance. For more information, see Create an ApsaraDB RDS for SQL Server instance.

      • In the KMS console, you can view all keys within the current account. In the left-side navigation page of the KMS console, click Keys. On the page that appears, click the Default Key tab and then find the key that you want to view. If the value in the Key Usage column is Service Key, the key is a service key managed by an Alibaba Cloud service. The alias of the service key managed by ApsaraDB RDS is alias/acs/rds. If you do not find the key, no service key has been created in the region. When you enable the disk encryption feature and select Default Service CMK during the instance creation in the ApsaraDB RDS console, the system automatically creates a service key.

      • The key specification of the default service CMK is Aliyun_AES_256. The key rotation feature is disabled by default. If you want to enable the key rotation feature, purchase the key rotation feature in the KMS console. For more information, see Configure key rotation.

    References

    • You can call the CreateDBInstance operation to enable the cloud disk feature when you create an instance. For more information, see CreateDBInstance.

    • You can call the DescribeDBInstanceEncryptionKey operation to query whether the cloud disk encryption feature is enabled for an instance and the key details. For more information, see DescribeDBInstanceEncryptionKey.