Disk encryption - ApsaraMQ for RocketMQ - Alibaba Cloud Documentation Center

ApsaraMQ for RocketMQ provides the disk encryption feature to ensure the security and privacy of messages stored on disks. This topic describes the disk encryption feature of ApsaraMQ for RocketMQ.

Background information

The development of Internet technology increases the needs for data transmission and storage. Against this backdrop, data security has become one of the major concerns of enterprises and individuals. Message queues are key components of distributed systems. To ensure the security of data in message queues and the security and privacy of messages during storage, ApsaraMQ for RocketMQ provides the disk encryption feature. You can use the feature in fields such as social media, finance, and e-commerce.

Usage notes

Only ApsaraMQ for RocketMQ 5.x Enterprise Platinum Edition instances support the disk encryption feature.
You can enable the disk encryption feature only when you create an ApsaraMQ for RocketMQ instance.
When you create a disk encryption key in Key Management Service (KMS), you must select the region where the ApsaraMQ for RocketMQ instance resides.
After you enable the disk encryption feature for an ApsaraMQ for RocketMQ instance, you cannot disable the feature.
Important
Take note that you cannot use the disk encryption key after the corresponding KMS instance expires.
If you delete the disk encryption key or the acs:rocketmq:instance-encryption tag of the key, you cannot read or write messages on the ApsaraMQ for RocketMQ instance.

Prerequisites

A virtual private cloud (VPC) and a vSwitch are created. For more information, see Create a VPC and a vSwitch.
A security group is created. For more information, see Create a security group.
A disk encryption key is created. For more information, see Create a key.
Important
Only symmetric keys whose specification is Aliyun_AES_256 or Aliyun_SM4 and usage is ENCRYPT/DECRYPT are supported.

Procedure

Log on to the ApsaraMQ for RocketMQ console.
In the top navigation bar, select a region, such as China (Hangzhou).
On the Instances page, click Create Instance. In the Create Message Queue for Apache RocketMQ Instance panel, set the Instance Version parameter to V5.0 and configure the Billing Method parameter. Then, click OK.
Only the following types of ApsaraMQ for RocketMQ instances support the disk encryption feature:
- Subscription: An upfront payment is required based on the computing specification and subscription duration (in months) that you select for an instance.
- Pay-as-you-go: Fees are post-paid based on the computing specification that you select for an instance and the actual usage duration (in hours) of the instance.

On the buy page, select the specifications of the instance and click Buy Now. Then, follow the on-screen instructions to complete the payment.

The following table describes how to configure the parameters on the buy page. For information about the specifications that are displayed on the buy page, see Instance selection.

Parameter	Example
Primary Edition	Enterprise Platinum Edition
Sub-category Edition	Cluster High-availability Edition (Recommended for Production Environments)
Computing Specification	rmq.s2.2xlarge
VPC ID	vpc-bp1cg09dua6sgh0****** The value of this parameter is the ID of the VPC that you created in the "Prerequisites" section of this topic.
VSwitch ID	vsw-bp1vqb0p9nz3irz****** The value of this parameter is the ID of the vSwitch that you created in the "Prerequisites" section of this topic.
Internet Access	Disable
Resource Group	In this example, the default resource group is selected.
Disk Encryption	Enable
Disk Encryption Key	key-hzz66c8207**** The value of this parameter is the ID of the key that you created in the "Prerequisites" section of this topic.