All Products
Search

This Product

    ApsaraDB for MongoDB:Disk Encryption

    Document Center

    ApsaraDB for MongoDB:Disk Encryption

    Last Updated:Jan 14, 2026

    Disk Encryption enhances data security by encrypting data on your instances. The process is automatic and transparent, requiring no modifications to your applications. This topic describes how to enable Disk Encryption.

    Prerequisites

    • Storage type: ESSD Cloud Disk.

    • Instance family: Dedicated.

    • Architecture: replica set instance or sharded cluster instance.

    Billing

    Disk Encryption is free of charge, but you will be billed for using Key Management Service (KMS). For more information about KMS pricing, see KMS 1.0 billing.

    Considerations

    • You can only enable Disk Encryption when creating an instance. Once enabled, it cannot be disabled.

    • After you enable Disk Encryption, snapshots of the instance and any instances created from those snapshots are also encrypted.

    • If your Key Management Service (KMS) account has overdue payments, disks cannot be decrypted, which will render the MongoDB instance unavailable. To avoid service disruption, ensure that your KMS key remains in a valid state.

    • Disabling or deleting a KMS key will prevent the associated MongoDB instance from functioning correctly. This affects operations such as changing configurations, creating and restoring snapshots, and rebuilding secondary nodes.

    • Currently, Disk Encryption supports only the default keys provided by KMS.

    • To restore an encrypted instance from the recycle bin, ensure its associated KMS key is available. Otherwise, the restoration will fail.

    Enable Disk Encryption

    1. Go to the ApsaraDB for MongoDB purchase page.

    2. On the ApsaraDB for MongoDB purchase page, configure the following parameters.

      Parameter

      Description

      Storage Type

      Select an ESSD Cloud Disk. Disk Encryption is only supported for this storage type.

      Encryption Type

      Select Encryption.

      Service-linked Role

      A service-linked role is required for Disk Encryption. If you have not created one, click Create Service-linked Role. If a role already exists, the status is displayed as Created.

      Encryption Key

      Select a KMS key for Disk Encryption.

      If no KMS key exists in the current region, create one in the KMS console. For instructions, see Create a key.

      Note

      Currently, only the default keys provided by KMS are supported.

      For details on other parameters and how to complete the instance creation, see Create a replica set instance or Create a sharded cluster instance.