All Products
Search

This Product

    ApsaraDB for MongoDB:Disk encryption

    Document Center

    ApsaraDB for MongoDB:Disk encryption

    Last Updated:Oct 09, 2024

    The disk encryption feature allows you to encrypt data in an ApsaraDB for MongoDB instance to maximize your data security. Disk encryption does not affect your business workloads. You do not need to modify the code of your application. This topic describes how to enable the disk encryption feature.

    Prerequisites

    The instance for which you want to enable the disk encryption feature is a replica set or sharded cluster instance that uses Enterprise SSDs (ESSDs).

    Billing

    The disk encryption feature is provided free of charge. However, you are charged for Key Management Service (KMS) keys that are used for data encryption. For more information about the billing of KMS, see Billing of KMS.

    Usage notes

    • You can enable the disk encryption feature for an ApsaraDB for MongoDB instance only when you create the instance. You cannot disable the feature after it is enabled.

    • After you enable the disk encryption feature for your ApsaraDB for MongoDB instance, the snapshots that are created for your instance and the disks that are created from the snapshots are automatically encrypted.

    • If you have overdue payments for KMS within your Alibaba Cloud account, disks that are created from the snapshots cannot be decrypted. This way, your ApsaraDB for MongoDB instance becomes unavailable. Make sure that the KMS key that is used for disk encryption is normal. For more information about KMS, see What is Key Management Service?

    • If you disable or delete a KMS key, the ApsaraDB for MongoDB instance that uses the key cannot run as expected. In this case, the following operations are affected: change the instance configurations, create a snapshot, restore a snapshot, and rebuild a backup database.

    • If you want to recover an instance for which the disk encryption feature is enabled, make sure that the KMS key of the instance used for data encryption is available. Otherwise, the instance cannot be recovered.

    Enable the disk encryption feature

    1. Go to the ApsaraDB MongoDB instance creation page.

    2. Configure the parameters described in the following table.

      Parameter

      Description

      Storage Type

      The storage type of the instance. You must select ESSD storage type for the instance. Only ESSDs support the disk encryption feature.

      Encryption Type

      The encryption type of the instance. Select Encryption for replica set instances and Cloud Disk Encryption for sharded cluster instances.

      Service-linked Role

      The Resource Access Management (RAM) role that only the linked Alibaba Cloud service can assume. A service-linked role is required to use the disk encryption feature. If you have already created a service-linked role, Created is displayed. If you have not created a service-linked role, click Create Service-linked Role.

      Encryption Key

      The KMS key that is used for disk encryption.

      If no KMS keys are created in the specified region, go to the KMS console. For more information about how to create a KMS key, see Create a CMK.

      For more information about parameters that you must configure to create an instance and how to create an ApsaraDB for MongoDB instance, see Create a replica set instance or Create a sharded cluster instance.