Disk encryption protects all data on your RDS for SQL Server data disk using block storage-level encryption. It is free, requires no application changes, and can be enabled when you create an instance or on an existing instance.
Supported configurations
Not all instance types support disk encryption in the same way. The table below shows what each type supports.
| Instance type | Enable on new instance | Enable on existing instance | Supported key types |
|---|---|---|---|
| Dedicated | Yes | Yes | Service key or custom key |
| General-purpose | Yes | Yes | Service key or custom key |
| Shared | Yes | No | Service key (Default Service CMK) only |
| Read-only | No (inherits from primary) | No | — |
| Serverless | No | No | — |
Additional constraints:
Storage type must be ESSD.
If the primary instance has read-only instances attached, release them before enabling disk encryption. After encryption is enabled, new read-only instances inherit it automatically.
Disk encryption cannot be disabled once enabled.
After enabling disk encryption, you cannot update the minor engine version.
Billing
Disk encryption is free, including all read and write operations on encrypted disks.
Keys are managed by Key Management Service (KMS):
| Key type | Cost |
|---|---|
| Default Service CMK and master keys | Free |
| Software-protected keys and hardware-protected keys | Billed by KMS |
Key management
Transient disconnection
Enabling disk encryption on an existing instance or changing the encryption key causes a brief outage:
| Edition | Downtime |
|---|---|
| High-availability Edition / Cluster Edition | ~30 seconds |
| Basic Edition | ~5 minutes |
Schedule these operations during off-peak hours and make sure your application has an automatic reconnection mechanism.
Key availability
The availability of your instance depends on continuous access to its encryption key. Two situations can make the instance inaccessible:
Overdue KMS payments: If you use a paid key type (software-protected or hardware-protected), an overdue payment prevents the disk from being decrypted, making the entire instance unavailable. Keep your KMS account current.
Disabled or deleted key: Disabling or deleting a master key, software-protected key, or hardware-protected key immediately locks the RDS instance. All operations and maintenance (O&M) activities—backups, configuration changes, restarts, and high-availability (HA) switchovers—fail until the key is restored.
Default service key (Default Service CMK)
The RDS-managed service key uses the Aliyun_AES_256 specification. Key rotation is disabled by default. To enable key rotation, purchase the key rotation service from the KMS console.
Enable disk encryption for a new instance
When you create an ApsaraDB RDS for SQL Server instance, set the storage type to ESSD.
Select Cloud Disk Encryption, then select the target key.
Select Cloud Disk Encryption before you select the instance type. For shared instances, set the key to Default Service CMK—shared instances support service keys only. To create a custom key, see Create and enable a key.
Enable disk encryption for an existing instance
This operation causes a transient disconnection. The instance is unavailable for ~30 seconds (High-availability Edition or Cluster Edition) or ~5 minutes (Basic Edition). Schedule this during off-peak hours and make sure your application reconnects automatically.
Go to the Instances page. In the top navigation bar, select the region of your instance, then click the instance ID.
In the left navigation pane, click Data Security.
On the Data Encryption tab, click Enable Encryption.
In the dialog box, select the desired key and click OK. The instance state changes to Configuration Changing.
Encryption is active when the instance state returns to Running and the encryption details appear on the Data Encryption tab.
View disk encryption status and key details
Go to the Instances page. Select the region, then click the instance ID.
On the Basic Information page, check the disk encryption key.
If no key appears, disk encryption is not enabled. To view all keys under your account, open the KMS console. On the Keys > Default Keys tab, a Key Usage value of Service Key means the key is managed by Alibaba Cloud.
Change the encryption key
Dedicated and general-purpose instances support key changes. Shared instances cannot change keys because they support service keys only.
Changing the key causes a transient disconnection (~30 seconds for High-availability Edition or Cluster Edition; ~5 minutes for Basic Edition). Schedule this during off-peak hours.
Go to the Instances page. Select the region, then click the instance ID.
In the left navigation pane, click Data Security.
On the Data Encryption tab, click Replace Key.
In the Change Encryption Key of Data Disk dialog box, select the new key and click OK.
API reference
| Operation | API |
|---|---|
| Enable disk encryption when creating an instance | CreateDBInstance |
| Enable disk encryption for an existing instance | ModifyDBInstanceConfig |
| Query disk encryption status | DescribeDBInstanceEncryptionKey |