All Products
Document Center

ApsaraDB RDS:Data encryption

Last Updated:Apr 01, 2024

This topic describes the data encryption feature of ApsaraDB RDS.


ApsaraDB RDS supports Secure Sockets Layer (SSL) for MySQL, SQL Server, and PostgreSQL. ApsaraDB RDS provides a server SSL certificate for each RDS instance. You can use the server SSL certificate of your RDS instance to determine whether the database service that you access by using a specific IP address and a specific port number is provided by your RDS instance. This can help defend against man-in-the-middle attacks. ApsaraDB RDS also allows you to enable and update the server SSL certificate for your RDS instance to ensure the security and validity of each server SSL certificate.

SSL can encrypt the connection between your application and your RDS instance only after you enable server authentication for your application. SSL consumes extra CPU resources. As a result, the throughput of your RDS instance decreases, and the responses of your RDS instance slow down. The severity of the impact varies based on the number of connections that are established and the frequency of data transmission.

For more information, see Configure SSL encryption for an ApsaraDB RDS instance.


ApsaraDB RDS provides Transparent Data Encryption (TDE) for MySQL, PostgreSQL, and SQL Server. TDE for MySQL and PostgreSQL is independently developed by Alibaba Cloud. TDE for SQL Server is developed based on SQL Server Enterprise Edition.

After TDE is enabled for your RDS instance, you can specify the database or table that you want to encrypt. The data of the specified database or table is encrypted before it is written to a device, such as a disk, an SSD, or a Peripheral Component Interconnect Express (PCIe) card, or to a service, such as Object Storage Service (OSS). This way, all data files and backup files of the specified database or table are stored in ciphertext in your RDS instance.

TDE uses the Advanced Encryption Standard (AES) algorithm. The key for TDE is encrypted and stored by Key Management Service (KMS). Your RDS instance reads the key only once when you start or migrate the instance. You can replace the key in the KMS console.

For more information, see Set TDE for an RDS MySQL instance and TDE test report.

Cloud disk encryption

ApsaraDB RDS provides the cloud disk encryption feature for free for RDS instances that use cloud disks. After this feature is enabled for your RDS instance, this feature encrypts all data on the disk based on block storage. This way, your data cannot be deciphered even if it is leaked. This feature does not interrupt your workloads. You can use this feature without the need to modify your application.

For more information, see Configure the disk encryption feature for an ApsaraDB RDS for MySQL instance.

Always-confidential database

The always-confidential feature is provided by ApsaraDB RDS for PostgreSQL to ensure data security. If you enable and use the always-confidential feature for an ApsaraDB RDS for PostgreSQL instance, you can encrypt sensitive data columns in tables. This way, the sensitive data is transmitted, computed, and stored in ciphertext.

The implementation of the always-confidential feature varies based on the following instance types of ApsaraDB RDS:

  • Intel SGX-based security-enhanced instance type: The always-confidential feature protects data based on the trusted execution environment (TEE) that is provided by Intel SGX. In this case, you can perform all database operations on ciphertext data. If your RDS instance uses the Intel SGX-based security-enhanced instance type, you can compare and compute ciphertext data in the TEE. For more information about instance types, see Instance types for primary ApsaraDB RDS for PostgreSQL instances.

  • Instance types other than the Intel SGX-based security-enhanced instance type: The always-confidential feature protects data by using cryptography techniques. In this case, you can perform a few types of database operations.