All Products
Search
Document Center

ApsaraDB for MongoDB:Configure TDE for an instance

Last Updated:Nov 01, 2024

You can use transparent data encryption (TDE) to perform real-time I/O encryption and decryption on data files. Data is encrypted before it is written to the disk and is decrypted when it is read from the disk to the memory. TDE does not increase the sizes of data files. To use TDE, you do not need to modify your application. To improve data security, you can enable TDE for an instance in the ApsaraDB for MongoDB console to encrypt instance data.

Prerequisites

  • The instance is a replica set or sharded cluster instance.

  • The storage engine of the instance is WiredTiger.

  • The instance uses local disks to store data.

  • The instance runs MongoDB 4.0 or 4.2. If the instance runs an earlier major version, you can upgrade the major version of the instance. For more information, see Upgrade the major version of an ApsaraDB for MongoDB instance.

    Note

    Before you enable TDE, you can create a pay-as-you-go instance that runs MongoDB 4.0 or 4.2 to test the compatibility between your application and the database version. You can release the instance after you complete the test.

If the architecture or storage engine of your instance does not meet your business requirements, you can use other methods to make configuration changes. For more information, see Other configuration change scenarios and methods.

Impacts

  • When you enable TDE, your instance is restarted, and your application is disconnected from the instance. We recommend that you enable TDE during off-peak hours and make sure that your application can automatically reconnect to the instance.

  • After TDE is enabled, the CPU utilization of your instance increases.

  • You cannot restore TDE-encrypted collections to a self-managed database by using physical backup. To restore TDE-encrypted collections to a self-managed database, you can use logical backup. For more information, see Restore data of an ApsaraDB for MongoDB instance to a self-managed MongoDB database by using logical backup.

Usage notes

  • You cannot disable TDE after it is enabled.

  • After you enable TDE for an instance, the instance cannot be restored from the recycle bin if the instance is released.

  • You can enable TDE only for instances. TDE can be used to encrypt data only in collections. You can perform manual operations to encrypt field data. Manual field-level encryption is supported only by MongoDB 4.2. For more information, see Explicit (Manual) Client-Side Field Level Encryption.

    Note

    When you create a collection, you can disable encryption for the collection. For more information, see Disable encryption for a specified collection.

  • Only collections created after TDE is enabled are encrypted.

  • Key Management Service (KMS) generates and manages the keys used by TDE. ApsaraDB for MongoDB does not provide keys or certificates required for encryption. For more information about KMS, see What is Key Management Service?

  • After you enable TDE for an instance, you cannot change the keys of the instance. To change the keys of the instance, use Data Transmission Service (DTS) to migrate data from the instance to a new instance that uses new keys. For more information, see Migrate data between ApsaraDB for MongoDB instances.

Procedure

  1. Go to the Replica Set Instances or Sharded Cluster Instances page. In the top navigation bar, select the region in which the instance resides. Then, find the instance and click the ID of the instance.

  2. In the left-side navigation pane of the instance details page, choose Data Security > TDE.

  3. Turn on the switch next to TDE Status: to enable TDE.

  4. In the Enable TDE dialog box, select a key generation method.

    • Use Automatically Generated Key: uses a key automatically generated by the system.

    • Use Custom Key: selects a custom key from the drop-down list. If no custom keys are displayed in the drop-down list, create a custom key and then select the key. For more information about how to create a custom key, see Create a CMK.

  5. Click OK.

    The instance enters the Modifying TDE state. When the instance state changes to Running, TDE is enabled.

Disable encryption for a specified collection

After you enable TDE, all new collections are encrypted. When you create a collection, you can disable encryption for the collection.

  1. Connect to an instance by using the mongo shell. For more information, see Connect to an ApsaraDB for MongoDB replica set instance by using the mongo shell or Connect to an ApsaraDB for MongoDB sharded cluster instance by using the mongo shell.

  2. Create a collection with encryption disabled.

    • Syntax:

      db.createCollection("<collection_name>",{ storageEngine: { wiredTiger: { configString: "encryption=(name=none)" } } })
      Note

      In the syntax, collection_name indicates the name of the collection.

    • Sample code:

      db.createCollection("customer",{ storageEngine: { wiredTiger: { configString: "encryption=(name=none)" } } })