All Products
Search
Document Center

Tair (Redis® OSS-Compatible):Enable TDE

Last Updated:Dec 02, 2024

Tair (Redis OSS-compatible) provides the transparent data encryption (TDE) feature. This feature allows you to encrypt and decrypt Redis Database (RDB) files. You can enable TDE in the console to allow the system to encrypt and decrypt RDB files. This improves data security and compliance.

Prerequisites

  • The instance is a Tair (Enterprise Edition) DRAM-based instance.

  • The instance is deployed in classic (local disk-based) mode.

  • The minor version of the instance is 1.7.1 or later. For information about how to update the minor version, see Update the minor version of an instance.

Background information

The TDE feature of Tair (Redis OSS-compatible) encrypts RDB files before they are written to disks and decrypts RDB files when they are read from disks to the memory. TDE does not increase the sizes of RDB files. When you use TDE, you do not need to modify your client.

Impacts

You cannot disable TDE after it is enabled. You must evaluate the impacts on your business before you enable TDE. Take note of the following impacts:

Precautions

  • TDE can be enabled for an instance but not for a key or a database.

  • TDE encrypts RDB files that are written to disks, such as dump.rdb.

  • Key Management Service (KMS) generates and manages the keys used by TDE. Tair (Redis OSS-compatible) does not provide keys or certificates required for encryption. For more information about KMS, see What is Key Management Service?

  • Instances for which TDE is enabled cannot be restored from the recycle bin.

Procedure

  1. Log on to the console and go to the Instances page. In the top navigation bar, select the region in which the instance is deployed. Then, find the instance and click its ID.

  2. In the left-side navigation pane, click TDE Settings.

  3. Turn on the switch next to TDE Status to enable TDE.

    Note

    If an earlier minor version is used, the switch is dimmed. For information about how to view and update the minor version of an instance, see Update the minor version of an instance.

  4. In the dialog box that appears, select Use Automatically Generated Key or Use Custom Key, and then click OK.

    Figure 2. Select a key type for enabling TDE 开启TDE选择密钥

    Note
    • The first time you enable TDE for an instance within your Alibaba Cloud account, follow the instructions on the page to assign the AliyunRdsInstanceEncryptionDefaultRole role to Tair (Redis OSS-compatible). Tair (Redis OSS-compatible) can access KMS resources only after it assumes the role.

    • For information about how to create a custom key, see Create a CMK.

    When the instance state changes from Modifying TDE to Running, TDE is enabled.

Related API operations

API operation

Description

ModifyInstanceTDE

Enables TDE for an instance. You can use automatically generated keys or existing custom keys.

DescribeInstanceTDEStatus

Queries whether TDE is enabled for an instance.

DescribeEncryptionKeyList

Queries the custom keys that are available for an instance to use TDE.

DescribeEncryptionKey

Queries the details of a custom key that is available for an instance to use TDE.

CheckCloudResourceAuthorized

Queries whether the account that is used to connect to an instance is authorized to use KMS.

FAQ

  • How do I decrypt an encrypted RDB file?

    RDB files cannot be decrypted. You can restore the file to a new instance. After the restoration is complete, the data is automatically decrypted.

  • Why is the data read by clients still displayed in plaintext?

    Only RDB files written to disks are encrypted. The data read by clients is read from memory and is not encrypted. That is why it is displayed in plaintext.