ApsaraDB for ClickHouse provides the disk encryption feature for free. The disk encryption feature encrypts the data on the disks of your ApsaraDB for ClickHouse cluster based on block storage. This way, the backup data cannot be decrypted even if it is leaked. This ensures data security.
Precautions
You can enable disk encryption only when you create an ApsaraDB for ClickHouse cluster. Disk encryption cannot be enabled after the cluster is created.
Disk encryption cannot be disabled after it is enabled.
After you enable disk encryption for a cluster, the snapshots created for the cluster are automatically encrypted. If you create clusters that use disks based on encrypted snapshots, disk encryption is also enabled for these clusters.
Disk encryption does not interrupt your business, and you do not need to modify your application.
When you use disk encryption, performance is not degraded.
Features
After an encrypted disk is created and attached to an Elastic Compute Service (ECS) instance, the system encrypts the following data:
The static data that is stored on the disk.
The data that is transmitted between the disk and the ECS instance. Data on the system disk is not encrypted.
All snapshots that are created on the encrypted disk. These snapshots are classified as encrypted snapshots.
Billing
The disk encryption feature of ApsaraDB for ClickHouse is free of charge. You are not charged for read and write operations on your encrypted disks.
For information about the charges for Key Management Service (KMS), see Billing of KMS. This includes the charges for key hosting and API operation calls.
Enable disk encryption
When you create a cluster, perform the following steps to enable disk encryption. For information about how to create a cluster, see Create an ApsaraDB for ClickHouse cluster.
Set Storage Type to ESSD or Ultra Cloud Disk.
Set Encryption Type to Disk Encryption.
Select a key that is used to encrypt disks. If no key is available, you must activate KMS and create a key.
NoteWhen you use the disk encryption feature of ApsaraDB for ClickHouse, only a key that is manually created can be used. When you create a key in the KMS console, you must set Rotation Period to Disable. For information about how to create a key, see Create a CMK.
If you authorize the user that you are using to access KMS, ActionTrail records your operations. For more information, see Use ActionTrail to query KMS event logs.
Click Buy Now to create the cluster for which disk encryption is enabled.
View a key
Log on to the ApsaraDB for ClickHouse console.
On the Clusters page, click the Default Instances tab, and click the ID of the cluster that you want to manage.
On the Cluster Information page, view the key information in the Cluster Properties section.