ApsaraDB RDS for PostgreSQL supports the Transparent Data Encryption (TDE) feature. You can use TDE to encrypt and decrypt data files in real time to protect data privacy of users. This topic describes the terms, encryption principle, and decryption principle of TDE.
Description
TDE is used to perform real-time I/O encryption and decryption on data files. TDE performs data-at-rest encryption at the database layer. This prevents attackers from bypassing the database to read sensitive information from storage. TDE encrypts sensitive information in tablespaces, on-disk data, and backup data. TDE also automatically decrypts the information and data to plaintext for applications and users that have passed database authentication. For operating system users who want to read sensitive information in tablespaces and unauthorized users who want to read backup data and on-disk data, TDE disallows them to access the plaintext of the data.
Transparent: Data is automatically encrypted when the data is written to a disk and decrypted when the data is read from the disk. The encryption and decryption processes are imperceptible to users.
Data encryption: The service key that is provided by Key Management Service (KMS) or the custom key that you upload to KMS is used to encrypt data files.
The key that is used for TDE is created and managed by KMS. ApsaraDB RDS does not provide the keys or certificates that are required for encryption.
ApsaraDB RDS for PostgreSQL supports keys of the Aliyun_AES_256 and Aliyun_SM4 types.
Benefits
The TDE feature provides the following benefits:
Table-level encryption and index-level encryption: You can enable TDE for tables and indexes.
Encryption and decryption of multiple objects at a time: You can use TDE to encrypt and decrypt all indexes in a table at a time. You can also use TDE to encrypt and decrypt all tables in a database.
Low performance loss: If TDE is enabled, the performance is slightly affected. In normal business scenarios, the performance loss of encrypted tables is approximately 4%.
Principle
Terms
Key encryption key (KEK): You can use the service key of KMS or use a customer master key (CMK) to encrypt data encryption keys (DEKs).
DEK: A DEK is generated by a database to encrypt and decrypt data.
Process
All encryption and decryption operations are performed in the memory. The data in the memory is plaintext and the data in the disk is ciphertext. This helps prevent data leaks if the disk is stolen. The usage mode of the database remains unchanged, which avoids compatibility issues.
When the database starts, the KEK is obtained from KMS to decrypt the DEK. The decrypted DEK is stored in the memory and used to encrypt or decrypt data when data is written or read.