Enable the disk encryption feature

AnalyticDB for MySQL allows you to enable the disk encryption feature when you create a cluster. This feature encrypts data on each data disk of your cluster based on Elastic Block Storage (EBS). This way, your data cannot be decrypted even if the data is leaked.

Overview

After you enable the disk encryption feature for a cluster, AnalyticDB for MySQL creates an encrypted disk, attaches the disk to an Elastic Compute Service (ECS) instance, and then encrypts the following data on the disk:

Hot data of Data Lakehouse Edition clusters and Data Warehouse Edition clusters in elastic mode.
Note
Cold data of clusters is not stored on disks and cannot be encrypted.
All data of Data Warehouse Edition clusters in reserved mode.
Data that is transmitted between disks and clusters.
All snapshots that are created from the encrypted disk.

Usage notes

You can enable the disk encryption feature only when you create an AnalyticDB for MySQL cluster.
You cannot disable the disk encryption feature after the feature is enabled.
After you enable the disk encryption feature for a cluster in reserved mode, the snapshots generated for the cluster and the clusters created from the snapshots inherit the disk encryption feature. To check whether the disk encryption feature is enabled for a cluster, see the "Check whether the disk encryption feature is enabled" section of this topic.
If you enable the disk encryption feature for a cluster, the read and write performance of the cluster is affected. In most cases, the read and write performance is reduced by about 10%.
The disk encryption feature does not require modifications on your application.

Billing rules

The disk encryption feature requires Key Management Service (KMS). When you use KMS, you are charged for key management and API calls. For more information, see Billing of KMS.

You can enable the disk encryption feature only when you create an AnalyticDB for MySQL cluster. To use the disk encryption feature for an existing cluster that does not support the feature, you can create another cluster for which the feature is enabled and migrate data from the existing cluster to the new cluster.

On the buy page, select Disk Encryption.
The first time you enable the disk encryption feature, click Create Service-linked Role.
Note
- You need to click Create Service-linked Role only when you enable the disk encryption feature for the first time. If Created is displayed, you can skip this step because a service-linked role is already created.
- The disk encryption feature requires a service-linked role for using KMS features. For more information, see Manage the service-linked role for disk encryption.
Select a key from the Key drop-down list.
Note
- If no keys are available in the drop-down list, you must create a key. For more information, see Create a CMK.
- The disk encryption feature of AnalyticDB for MySQL supports only the keys that are manually created. When you create a key in the KMS console, you must set the Rotation Period parameter to Disabled.
- After you are authorized to use KMS features, ActionTrail records the operations that you perform on KMS resources. For more information, see Use ActionTrail to query KMS event logs.
After you configure parameters for the disk encryption feature, perform the subsequent steps. For more information, see Create a cluster.

Check whether the disk encryption feature is enabled

Log on to the AnalyticDB for MySQL console. In the upper-left corner of the console, select a region. In the left-side navigation pane, click Clusters. On the Clusters page, click an edition tab. Find the cluster that you want to manage and click the cluster ID.
In the left-side navigation pane, choose Cluster Management > Cluster Information or click Cluster Information.
In the Configuration Information section, check whether the KMS Key ID for Disk Encryption parameter is displayed.
If the disk encryption feature is not enabled for this cluster, the KMS Key ID for Disk Encryption parameter is not displayed in the Configuration Information section.