All Products
Search

This Product

    AnalyticDB:Disk encryption

    Document Center

    AnalyticDB:Disk encryption

    Last Updated:Sep 30, 2024

    AnalyticDB for MySQL allows you to enable the disk encryption feature when you create a cluster. This feature encrypts data on each data disk of your cluster based on Elastic Block Storage (EBS). This way, your data cannot be decrypted even if the data is leaked.

    Overview

    After you enable the disk encryption feature for a cluster, AnalyticDB for MySQL creates an encrypted disk, attaches the disk to an Elastic Compute Service (ECS) instance, and then encrypts the following data on the disk:

    • All data of the cluster if the cluster is in reserved mode.

    • Hot data of the cluster if the cluster is in elastic mode.

      Note

      Cold data of clusters in elastic mode is not stored on disks and cannot be encrypted.

    • Data that is transmitted between disks and clusters.

    • All snapshots that are created from the encrypted disk.

    Usage notes

    • You can enable the disk encryption feature only when you create an AnalyticDB for MySQL cluster.

    • You cannot disable the disk encryption feature after the feature is enabled.

    • After you enable the disk encryption feature for a cluster in reserved mode, the snapshots generated for the cluster and the clusters created from the snapshots inherit the disk encryption feature.

    • If you enable the disk encryption feature for a cluster, the read and write performance of the cluster is affected. In most cases, the read and write performance is reduced by about 10%.

    • The disk encryption feature does not require modifications on your application.

    Billing rules

    The disk encryption feature requires Key Management Service (KMS). When you use KMS, you are charged for key management and API calls. For more information, see Billing of KMS.

    Enable the disk encryption feature

    You can enable the disk encryption feature only when you create an AnalyticDB for MySQL cluster. To enable the feature, you must configure relevant parameters on the buy page.

    1. On the buy page, select Disk Encryption.

    2. The first time you enable the disk encryption feature, click Create Service-linked Role.

      Note

      • You need to click Create Service-linked Role only when you enable the disk encryption feature for the first time. If Created is displayed, you can skip this step because a service-linked role is already created.

      • The disk encryption feature requires a service-linked role for using KMS features. For more information, see Manage the service-linked role for disk encryption.

    3. Select a key from the Key drop-down list.

      Note

      • If no keys are available in the drop-down list, you must create a key. For more information, see Create a CMK.

      • The disk encryption feature of AnalyticDB for MySQL supports only the keys that are manually created. When you create a key in the KMS console, you must set the Rotation Period parameter to Disabled.

      • After you are authorized to use KMS features, ActionTrail records the operations that you perform on KMS resources. For more information, see Use ActionTrail to query KMS event logs.

      After you configure parameters for the disk encryption feature, perform the subsequent steps to create the cluster. For more information, see Create a cluster.