All Products
Search

This Product

    ApsaraDB for MongoDB:Disk encryption

    Document Center

    ApsaraDB for MongoDB:Disk encryption

    Last Updated:Feb 24, 2025

    The disk encryption feature allows you to encrypt data in an ApsaraDB for MongoDB instance to maximize your data security. Disk encryption does not affect your business workloads. You do not need to modify the code of your application. This topic describes how to enable the disk encryption feature for an instance.

    Prerequisites

    • Enterprise SSDs (ESSDs) are used to store the instance data.

    • The dedicated instance category is used.

    • A replica set or sharded cluster instance is used.

    Billing

    The disk encryption feature is provided free of charge. However, you are charged for Key Management Service (KMS) keys that are used for data encryption. For more information about the billing of KMS, see Billing of KMS.

    Usage notes

    • You can enable the disk encryption feature for an ApsaraDB for MongoDB instance only when you create the instance. You cannot disable the feature after it is enabled.

    • After you enable the disk encryption feature for your ApsaraDB for MongoDB instance, the snapshots that are created for your instance and the disks that are created from the snapshots are automatically encrypted.

    • If you have overdue payments for KMS within your Alibaba Cloud account, disks that are created from the snapshots cannot be decrypted. This way, your ApsaraDB for MongoDB instance becomes unavailable. Make sure that the KMS key that is used for disk encryption is normal. For more information about KMS, see What is Key Management Service?

    • If you disable or delete a KMS key, the ApsaraDB for MongoDB instance that uses the key cannot run as expected. In this case, the following operations are affected: change the instance configurations, create a snapshot, restore a snapshot, and rebuild a backup database.

    • If you want to recover an instance for which the disk encryption feature is enabled in the recycle bin, make sure that the KMS key of the instance used for data encryption is available. Otherwise, the instance cannot be recovered.

    Enable disk encryption

    1. Go to the ApsaraDB for MongoDB buy page.

    2. Configure the parameters described in the following table.

      Parameter

      Description

      Storage Type

      The storage type of the instance. You must select the ESSD storage type for the instance. Only ESSDs support the disk encryption feature.

      Encryption Type

      The encryption type of the instance. Select Disk Encryption.

      Service-linked Role

      The Resource Access Management (RAM) role that only the linked Alibaba Cloud service can assume. A service-linked role is required to use the disk encryption feature. If you have already created a service-linked role, Created is displayed. If you have not created a service-linked role, click Create Service-linked Role.

      Encryption Key

      The KMS key that is used for disk encryption.

      If no KMS keys are created in the specified region, go to the KMS console. For more information about how to create a KMS key, see Create a CMK.

      For more information about configuration items and subsequent operations when you want to purchase an instance, see Create a replica set instance or Create a sharded cluster instance.