All Products
Search
Document Center

Tablestore:Data encryption

Last Updated:Apr 30, 2026

Tablestore supports encryption at rest to protect sensitive data stored in tables. Enable encryption when you create a table by selecting a Key Management Service (KMS)-based or Bring Your Own Key (BYOK)-based method.

How it works

All encryption keys come from Key Management Service (KMS), which provides end-to-end key management, data encryption, and secret management.

Tablestore supports two encryption methods:

  • KMS CMK-based encryption: Tablestore uses the default customer master key (CMK) to generate a service key for encrypting and decrypting data automatically. No KMS instance purchase is required.

  • Bring Your Own Key (BYOK)-based encryption: Tablestore uses a software-protected key that you create and manage in KMS. Before creating a table with this method, you must create a software-protected key in the KMS console and create a Resource Access Management (RAM) role with encryption and decryption permissions for Tablestore to assume.

Supported regions and constraints

  • Encryption can only be enabled at table creation time. It cannot be disabled after a table is created. Proceed with caution.

  • Data encryption is supported in the following regions: China (Hangzhou), China (Shanghai), China (Beijing), China (Zhangjiakou), China (Ulanqab), China (Shenzhen), China (Hong Kong), Japan (Tokyo), Singapore, Indonesia (Jakarta), Germany (Frankfurt), UK (London), US (Silicon Valley), and US (Virginia).

Enable data encryption

Use KMS CMK-based encryption

With KMS CMK-based encryption, no KMS instance purchase is required. Turn on the Encryption switch and select CMK of KMS as the Encryption Type when creating a table.

  1. Log on to the Tablestore console.

  2. At the top of the page, select a region.

  3. On the Overview page, click the name of the instance or click Manage Instance in the Actions column.

  4. On the Instance Details tab, click Create Table.

  5. In the Create Table dialog box, configure the parameters.

    1. Enter a table name and configure the primary key.

    2. Turn on the Encryption switch and select CMK of KMS for the Encryption Type parameter. Tablestore uses the default CMK to generate a service key—no additional KMS instance is required.

      image

  6. Click Create.

To verify that encryption is enabled, click the table name and check that the Encryption field in the Description section of the Basic Information tab shows Yes-CMK of KMS.

image

Use BYOK-based encryption

BYOK-based encryption requires a key ID and a RAM role ARN before you create the table. Complete the following prerequisites first.

Prerequisites

  1. Get the key ID: Tablestore uses this key to encrypt and decrypt your data.

    1. Log on to the KMS console.

    2. Click Keys in the left navigation pane, select an existing software-protected key from the list, and copy its key ID. To create a new key, see Manage keys.

      image

  2. Get the RAM role ARN: Tablestore calls KMS by assuming a RAM role. Create a role and grant it the required permissions.

    1. Create a RAM role.

      1. Log on to the RAM console.

      2. Choose Identities > Roles. On the Roles page, click Create Role.

      3. Set Principal Type to Cloud Service and Principal Name to Tablestore / OTS. Click OK.

        image

      4. In the Create Role dialog box, enter a role name in the Role Name field, such as TablestoreBYOK, and click OK. Follow the on-screen instructions to complete verification and create the role.

    2. Create a custom policy.

      1. Log on to the RAM console.

      2. Choose Permissions > Policies. On the Policies page, click Create Policy.

      3. Select the JSON tab, enter the following policy content, and click OK.

        {
            "Version": "1",
            "Statement": [
                {
                    "Effect": "Allow",
                    "Action": [
                        "kms:Decrypt",
                        "kms:GenerateDataKey"
                    ],
                    "Resource": [
                        "*"
                    ]
                }
            ]
        }
      4. In the Create Policy dialog box, enter a policy name in the Policy Name field, such as TablestoreBYOKPolicy, and click OK.

    3. Attach the custom policy to the RAM role.

      1. Log on to the RAM console.

      2. Choose Identities > Roles, and click Grant Permission in the Actions column of the RAM role.

      3. In the Grant Permission panel, search for the policy name in the Policy section, select the custom policy, and click Grant permissions.

        image

    4. Copy the ARN of the RAM role.

      1. Log on to the RAM console.

      2. Choose Identities > Roles. On the Roles page, click the role name.

      3. Copy the ARN from the Basic Information section.

        image

Create an encrypted table

After you have the key ID and RAM role ARN, create a BYOK-encrypted table in the Tablestore console.

  1. Log on to the Tablestore console.

  2. At the top of the page, select a region.

  3. On the Overview page, click the instance name or click Manage Instance in the Actions column.

  4. On the Instance Details tab, click Create Table.

  5. In the Create Table dialog box, configure the parameters.

    1. Enter a table name and configure the primary key.

    2. Turn on the Encryption switch, select BYOK-based Key for the Encryption Type parameter, and enter the key ID and RAM role ARN you obtained in the prerequisites.

      image

  6. Click Create.

To verify that encryption is enabled, click the table name and check that the Encryption field in the Description section of the Basic Information tab shows Yes-BYOK-based Key.

image

Programmatic table creation

Use Tablestore SDK for Java or Tablestore SDK for Go to specify an encryption method when creating a data table programmatically.

Billing

KMS charges apply for data encryption. For pricing details, see Billing.

References