Encrypt and decrypt tables and indexes using Transparent Data Encryption - ApsaraDB RDS

To meet security and compliance requirements for data-at-rest encryption, use Transparent Data Encryption (TDE) to encrypt and decrypt data files in real time. TDE performs data-at-rest encryption at the database layer, preventing attackers from bypassing the database to read sensitive information directly from storage. This significantly improves the security of sensitive data in your database.

Background information

Introduction: TDE performs data-at-rest encryption at the database layer, preventing potential attackers from reading sensitive information directly from storage by bypassing the database. After you enable TDE, data is encrypted before it is written to disk and decrypted when it is read into memory. Applications and users authenticated by the database can continue to access application data transparently (without changing application code or configuration). OS users attempting to read sensitive data from tablespace files and unknown users trying to access disk or backup data cannot view plaintext data.

Keys: Key Management Service (KMS) generates and manages the keys used for TDE encryption. RDS does not provide the keys or certificates required for encryption. Use a key automatically generated by Alibaba Cloud or authorize RDS to use your own custom key.

Encryption algorithms: After you enable TDE, the supported encryption algorithms vary by database version, as shown in the following table.

Database version	Supported encryption algorithms	Modify the Encryption Algorithm
MySQL 5.6	`AES_128_ECB`	Modification is not supported.
MySQL 5.7, 8.0	`AES_256_CBC` (Default) `SM4_CTR`	Modify the algorithm using the `innodb_encrypt_algorithm` parameter.

Important

Modifying the innodb_encrypt_algorithm parameter is high-risk. It affects the encryption and decryption algorithm for all encrypted data in the instance, including encrypted tables and logs. If this parameter differs from the actual encryption algorithm used for the data, parsing will fail. The innodb_encrypt_algorithm parameter is not visible in the console. To modify it, submit a ticket.

Applicability

To use TDE, your instance must meet the following conditions:
- Database version: MySQL 8.0, 5.7, or 5.6 with a minor engine version of 20191015 or later.
- Edition: High-availability Edition or Cluster Edition.

Key Management Service (KMS) is activated. If you have not activated KMS, you will be guided to activate it during TDE setup.
You have used your Alibaba Cloud account to grant RDS access to Key Management Service (KMS).

Usage notes

After TDE is enabled, it cannot be disabled, the key cannot be changed, and CPU usage will increase significantly.
Instance switchover: Enabling TDE restarts the instance, which causes a switchover. The instance is typically unavailable for about 15 seconds. Perform this operation during off-peak hours and ensure your application has an automatic reconnection mechanism.
No code changes required: Enabling TDE does not increase data file size. Your application can use TDE without modifying code or configuration.
Data restoration limitations: After TDE is enabled, cross-region restoration is not supported. To restore data locally, first decrypt the data.
Configuration change limitations: After TDE is enabled, you cannot change the edition from High-availability Edition to Cluster Edition.
Custom key limitations: When using an existing custom key, note the following:
- Custom keys must be symmetric keys. Asymmetric keys are not supported.
- If the KMS instance becomes unavailable (expires or is deleted), the key is disabled, a key deletion schedule is set, or the key material is deleted, the key becomes unusable. This makes data on your RDS instance unrecoverable.
- If you revoke the authorization and then restart the RDS instance, the instance becomes unavailable.

Minor engine version upgrade: To ensure instance stability, upgrade the minor engine version of your primary instance and any read-only instances to the latest version.

Enable Transparent Data Encryption TDE

You can enable TDE using a key automatically generated by Alibaba Cloud or a custom key that you authorize RDS to use. Use your Alibaba Cloud account or an account with the AliyunSTSAssumeRoleAccess permission to enable TDE.

Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.
In the navigation pane on the left, click Data Security and select the TDE tab.
In the TDE Settings > TDE Status
Select a key type:
- Use Automatically Generated Key: This option uses a service key from KMS.
- Use Existing Custom Key: Select an existing custom key (only symmetric keys are supported).
  Note
  If no key is available, click Go to Create to create a key and import your own key material in the Key Management Service console. When creating the key, set Key Type to Symmetric Key.
Click OK to enable TDE.

Encrypt and decrypt data with TDE

Encrypted Data

Log on to your database and run the following command to encrypt a table.

Note

After you enable TDE, existing tables are not automatically encrypted. Manually run the following command to encrypt each table.

MySQL 5.6

ALTER TABLE <tablename> engine=innodb,block_format=encrypted;

MySQL 5.7 or 8.0
```
ALTER TABLE <tablename> encryption='Y';
```

Decrypt data

You can decrypt the data by logging on to the database and running the following command.

MySQL 5.6

ALTER TABLE <tablename> engine=innodb,block_format=default;

MySQL 5.7 or 8.0
```
ALTER TABLE <tablename> encryption='N';
```

FAQ

Q1: Can I still use common database tools such as Navicat after enabling TDE?
A: Yes. You can use these tools normally.
Q2: Can I migrate data to another RDS instance after enabling TDE?
A: Yes. You can migrate data normally.
Q3: Why does my data appear in plaintext after encryption?
A: When you query data, it is decrypted and loaded into memory, so it appears in plaintext. TDE prevents data breaches caused by backup leaks because backup files are encrypted and cannot be restored locally. To restore data locally, first decrypt the data.

References

For more information about and comparisons of database encryption technologies, see Comparison of different database encryption technologies.
To encrypt the connection to your instance, enable SSL encryption. For more information, see Use a cloud certificate to quickly enable SSL encryption.
For key-related operations, see Key Management Service.
TDE test report for ApsaraDB RDS for MySQL
Configure TDE for ApsaraDB RDS for SQL Server
Configure TDE for ApsaraDB RDS for PostgreSQL

Related API

API	Description
ModifyDBInstanceTDE - Modify the TDE status of an ApsaraDB RDS instance	To enable TDE for an RDS instance, set the TDEStatus parameter to Enabled. Configure other parameters as needed.