Tablestore supports encryption at rest to protect sensitive data stored in tables. Enable encryption when you create a table by selecting a Key Management Service (KMS)-based or Bring Your Own Key (BYOK)-based method.
How it works
All encryption keys come from Key Management Service (KMS), which provides end-to-end key management, data encryption, and secret management.
Tablestore supports two encryption methods:
KMS CMK-based encryption: Tablestore uses the default customer master key (CMK) to generate a service key for encrypting and decrypting data automatically. No KMS instance purchase is required.
Bring Your Own Key (BYOK)-based encryption: Tablestore uses a software-protected key that you create and manage in KMS. Before creating a table with this method, you must create a software-protected key in the KMS console and create a Resource Access Management (RAM) role with encryption and decryption permissions for Tablestore to assume.
Supported regions and constraints
Encryption can only be enabled at table creation time. It cannot be disabled after a table is created. Proceed with caution.
Data encryption is supported in the following regions: China (Hangzhou), China (Shanghai), China (Beijing), China (Zhangjiakou), China (Ulanqab), China (Shenzhen), China (Hong Kong), Japan (Tokyo), Singapore, Indonesia (Jakarta), Germany (Frankfurt), UK (London), US (Silicon Valley), and US (Virginia).
Enable data encryption
Use KMS CMK-based encryption
With KMS CMK-based encryption, no KMS instance purchase is required. Turn on the Encryption switch and select CMK of KMS as the Encryption Type when creating a table.
Log on to the Tablestore console.
At the top of the page, select a region.
On the Overview page, click the name of the instance or click Manage Instance in the Actions column.
On the Instance Details tab, click Create Table.
-
In the Create Table dialog box, configure the parameters.
Enter a table name and configure the primary key.
-
Turn on the Encryption switch and select CMK of KMS for the Encryption Type parameter. Tablestore uses the default CMK to generate a service key—no additional KMS instance is required.

Click Create.
To verify that encryption is enabled, click the table name and check that the Encryption field in the Description section of the Basic Information tab shows Yes-CMK of KMS.

Use BYOK-based encryption
BYOK-based encryption requires a key ID and a RAM role ARN before you create the table. Complete the following prerequisites first.
Prerequisites
-
Get the key ID: Tablestore uses this key to encrypt and decrypt your data.
Log on to the KMS console.
-
Click Keys in the left navigation pane, select an existing software-protected key from the list, and copy its key ID. To create a new key, see Manage keys.

-
Get the RAM role ARN: Tablestore calls KMS by assuming a RAM role. Create a role and grant it the required permissions.
-
Create a RAM role.
Log on to the RAM console.
Choose . On the Roles page, click Create Role.
-
Set Principal Type to Cloud Service and Principal Name to Tablestore / OTS. Click OK.

In the Create Role dialog box, enter a role name in the Role Name field, such as TablestoreBYOK, and click OK. Follow the on-screen instructions to complete verification and create the role.
-
Create a custom policy.
Log on to the RAM console.
Choose . On the Policies page, click Create Policy.
-
Select the JSON tab, enter the following policy content, and click OK.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "kms:Decrypt", "kms:GenerateDataKey" ], "Resource": [ "*" ] } ] } In the Create Policy dialog box, enter a policy name in the Policy Name field, such as TablestoreBYOKPolicy, and click OK.
-
Attach the custom policy to the RAM role.
Log on to the RAM console.
Choose , and click Grant Permission in the Actions column of the RAM role.
-
In the Grant Permission panel, search for the policy name in the Policy section, select the custom policy, and click Grant permissions.

-
Copy the ARN of the RAM role.
Log on to the RAM console.
Choose . On the Roles page, click the role name.
-
Copy the ARN from the Basic Information section.

-
Create an encrypted table
After you have the key ID and RAM role ARN, create a BYOK-encrypted table in the Tablestore console.
Log on to the Tablestore console.
At the top of the page, select a region.
On the Overview page, click the instance name or click Manage Instance in the Actions column.
On the Instance Details tab, click Create Table.
-
In the Create Table dialog box, configure the parameters.
Enter a table name and configure the primary key.
-
Turn on the Encryption switch, select BYOK-based Key for the Encryption Type parameter, and enter the key ID and RAM role ARN you obtained in the prerequisites.

Click Create.
To verify that encryption is enabled, click the table name and check that the Encryption field in the Description section of the Basic Information tab shows Yes-BYOK-based Key.

Programmatic table creation
Use Tablestore SDK for Java or Tablestore SDK for Go to specify an encryption method when creating a data table programmatically.
Billing
KMS charges apply for data encryption. For pricing details, see Billing.