ApsaraDB RDS for SQL Server provides the Cloud Disk Encryption feature free of charge. You can enable this feature when you create an instance. This feature encrypts all data on the data disk at the block level. This effectively protects your data. Enabling the Cloud Disk Encryption feature does not affect your business, nor does it require any changes to your applications.
Applicability
-
You cannot manually enable Cloud Disk Encryption for ApsaraDB RDS for SQL Server read-only instances or serverless instances.
-
To enable Cloud Disk Encryption for a primary ApsaraDB RDS for SQL Server instance, the instance must meet the following requirements:
-
The storage type is Enhanced SSD.
-
The instance type is Dedicated, General-purpose, or Shared. For shared instance types, Cloud Disk Encryption can be enabled only at creation.
-
No read-only instances are attached to the primary instance. If one or more read-only instances are attached, you must first release the read-only instances and then enable Cloud Disk Encryption. Once enabled on the primary instance, Cloud Disk Encryption is automatically applied to all new read-only instances.
-
-
After you enable Cloud Disk Encryption, the following limits apply:
-
Once Cloud Disk Encryption is enabled, it cannot be disabled.
-
Key selection limits: A shared instance can be encrypted only with an RDS-managed service key (Default Service CMK). A general-purpose or dedicated instance can be encrypted with a service key or a custom key.
-
Minor engine version upgrade limits: You cannot upgrade the minor engine version after you enable Cloud Disk Encryption.
-
Billing
-
The Cloud Disk Encryption feature is free of charge. You are not charged extra for any read or write operations on encrypted disks.
-
The keys required for Cloud Disk Encryption are managed by Key Management Service (KMS). Using default keys, including service keys and master keys, is free of charge. If you use custom software or hardware keys, you are charged by KMS.
Precautions
-
Transient disconnection: Changing a key or enabling Cloud Disk Encryption for an existing instance causes a transient disconnection. An instance is unavailable for approximately 30 seconds for the High-availability and Cluster series, or 5 minutes for the Basic series. You must perform these operations during off-peak hours and ensure that your application has an automatic reconnection mechanism.
-
Overdue payments for KMS, or disabling or deleting a key, will affect instances that have Cloud Disk Encryption enabled:
-
Effects of overdue KMS payments: If you use a paid key type, such as a software key or hardware key, an overdue payment for your KMS service will prevent the encrypted disk from being decrypted, making the entire instance unavailable. Make sure that you renew your KMS service on time.
-
Effects of disabling or deleting a key: For keys whose lifecycle you can manage, such as master keys, software keys, and hardware keys, disabling or deleting a key locks the associated RDS instance, rendering it inaccessible. The instance cannot operate correctly, and all O&M operations, such as backups, configuration changes, restarts, and high-availability (HA) switchovers, will fail.
-
-
The RDS-managed service key (Default Service CMK) uses the
Aliyun_AES_256specification. The key rotation service is disabled by default. To enable the key rotation service, purchase it in the Key Management Service console.
Enable cloud disk encryption
For new instances
-
When you create an ApsaraDB RDS for SQL Server instance, set the storage type to ESSD.
-
Select Disk Encryption and then select a key.
Note-
For more information about how to create a custom key, see Create and enable a key.
-
When you create an instance, select the Disk Encryption option before you select the instance type.
To create a shared instance with Cloud Disk Encryption enabled, you must select Default Service CMK as the key. A shared instance can be encrypted only with a service key.
-
For existing instances
Enabling Cloud Disk Encryption for an existing instance causes a transient disconnection. An instance is unavailable for approximately 30 seconds for the High-availability and Cluster series, or 5 minutes for the Basic series. You must perform this operation during off-peak hours and ensure that your application has an automatic reconnection mechanism.
-
Go to the RDS Instances page. In the top navigation bar, select a region. Then, click the ID of the target instance.
-
In the left-side navigation pane, click Data Security.
-
On the Data Encryption tab, click Enable Cloud Disk Encryption.
-
In the dialog box that appears, select a key and click OK. The instance state immediately changes to Configuration Changing.
-
The process is complete when the instance state returns to Running and the encryption information appears on the Data Encryption tab.

View encryption status and key details
Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.
-
On the Basic Information page of the instance, view the disk encryption key.
Note-
If no key is displayed on the Basic Information page, this means that Cloud Disk Encryption was not enabled during instance creation.
-
In the KMS console, you can view all keys under the current account.
On the Permission Management > Default Keys tab, if the Key Usage is Service Key, the key is managed by an Alibaba Cloud service.
-
Replace the key
For an instance with Cloud Disk Encryption enabled, you can replace the key if the instance type is dedicated or general-purpose. You cannot replace the key for a shared instance because it can use only a service key.
Replacing a key causes a transient disconnection. An instance is unavailable for approximately 30 seconds for the High-availability and Cluster series, or 5 minutes for the Basic series. You must perform this operation during off-peak hours and ensure that your application has an automatic reconnection mechanism.
-
Go to the RDS Instances page. In the top navigation bar, select a region. Then, click the ID of the target instance.
-
In the left-side navigation pane, click Data Security.
-
On the Data Encryption tab, click Replace Key.
-
In the Change Encryption Key of Data Disk dialog box, select a new key, and then click OK.
API reference
-
Enable Cloud Disk Encryption when you create an instance: CreateDBInstance.
-
Enable Cloud Disk Encryption for an existing instance: ModifyDBInstanceConfig.
-
Query whether Cloud Disk Encryption is enabled for an instance: DescribeDBInstanceEncryptionKey.