This topic describes how to configure Transparent Data Encryption (TDE).
Overview
TDE can be used to encrypt and decrypt data files in real time. You can use TDE to encrypt data files when the data files are written to disks and decrypt data files when the data files are loaded to the memory from disks. When you use TDE to encrypt or decrypt a data file, the size of the data file does not increase. You can use TDE without the need to make changes to applications.
Encryption keys are generated and managed by Key Management Service (KMS). PolarDB-X does not provide keys or certificates for encryption. PolarDB-X supports keys that are automatically generated by Alibaba Cloud. You can authorize PolarDB-X to use the keys that are generated by using your own key materials.
Prerequisites
KMS is activated. If KMS is not activated, you can activate it when you enable TDE.
Procedure
Log on to the PolarDB for Xscale console.
In the top navigation bar, select the region where your instance is deployed.
On the Instance List page, click the PolarDB-X 2.0 tab.
On the page that appears, click the ID of the instance.
In the left-side navigation pane, choose .
On the TDE tab, turn on the switch next to TDE status.
In the Configure TDE dialog, perform the following configurations:
In the dialog box that appears, select Use Automatically Generated Key and click OK.
In the dialog box that appears, select Use Existing Custom Key and click OK.
NoteIf you do not have a custom key, click Create now to go to the KMS console and import key materials. For more information, see Manage CMKs.
Encrypt a table
Log on to the database and execute the following statement to encrypt a table:
alter table <tablename> encryption='Y';Execute the following statement to create an encrypted table:
create table <tablename> <col definition> ENCRYPTION='Y';Decrypt a table
Log on to the database and execute the following statement to decrypt a table that is encrypted by using TDE:
alter table <tablename> ENCRYPTION='N';