This topic describes how to configure transparent data encryption (TDE) for an ApsaraDB RDS for SQL Server instance. TDE is used to encrypt the data that is written to the disk and decrypt the data that is read from the disk to the memory. TDE does not increase the size of data files. You can use TDE without the need to modify your application.


  • Your RDS instance runs SQL Server 2019 SE or an Enterprise Edition of SQL Server.
  • Your RDS instance is not a read-only instance. For more information, see Create a read-only ApsaraDB RDS for SQL Server instance.
  • Key Management Service (KMS) is activated. If KMS is not activated, you can activate KMS when you enable TDE.


  • After instance-level TDE is enabled, it cannot be disabled. Database-level TDE can be enabled or disabled.
  • You must use KMS to create and manage the key that is used to encrypt data. ApsaraDB RDS does not provide the required key or certificate. After you enable TDE, you must decrypt data on your RDS instance. This applies if you want to restore the data to your computer. For more information, see the "What to do next" section of this topic.
  • After you enable TDE, the CPU utilization of your RDS instance significantly increases.


  1. Visit the RDS instance list, select a region above, and click the target instance ID.
  2. In the left-side navigation pane, click Data Security.
  3. On the TDE tab, turn on the switch next to TDE Status.
    Note You can enable TDE only when your RDS instance meets the requirements that are described in the "Prerequisites" section of this topic.
    Enable TDE
  4. In the TDE Settings dialog box, select databases from the Unselected Databases section, click the icon to move the selected databases to the Selected Databases section, and then click OK.
    TDE Settings dialog box

What to do next

If you no longer want to use TDE to protect a database, you can remove the database from the Selected Databases section in the TDE Settings dialog box.