Configure TDE

0.0.201

This topic describes how to configure Transparent Data Encryption (TDE) for an ApsaraDB RDS for MySQL instance. You can use TDE to perform real-time I/O encryption and decryption on data files, perform data-at-rest encryption at the database layer to prevent attackers from bypassing databases to read sensitive information from storage. This effectively improves the security of sensitive data in databases. For more information about database encryption technologies, see Comparison of different database encryption technologies.

Background information

Overview: TDE performs data-at-rest encryption at the database layer. This prevents potential attackers from bypassing the database to read sensitive information from storage. After TDE is enabled for your RDS instance, data is encrypted before it is written to a disk and is decrypted when it is read from a disk to the memory. TDE allows authenticated applications and users to access plaintext application data without the need to modify the application code or configurations. TDE prevents operating system (OS) users who attempt to read sensitive information within tablespaces and unauthorized users who attempt to read backup data and on-disk data from accessing the plaintext data.

Key: The key that is used for TDE is created and managed by Key Management Service (KMS). ApsaraDB RDS does not provide the key or certificates that are required for encryption. You can use an automatically generated key. You can also use a custom key and authorize ApsaraDB RDS to access KMS.

Encryption algorithm: After you enable TDE, the encryption algorithm varies based on the MySQL version. The following table describes the mappings between MySQL versions and encryption algorithms:

Database engine	Supported encryption algorithm	Configuration method

Database engine	Supported encryption algorithm	Configuration method
MySQL 5.6	`AES_128_ECB`	Not supported
MySQL 5.7 and MySQL 8.0	`AES_256_CBC`, `SM4_CTR`	You can use the `innodb_encrypt_algorithm` parameter to configure an encryption algorithm. For more information, see Modify instance parameters.

Important

The setting of the innodb_encrypt_algorithm parameter determines the encryption and decryption algorithms for all encrypted data in the instance, including encrypted tables and logs. If the parameter setting does not match the actual encryption algorithm, the parsing fails. Proceed with caution. Before you change the value of the innodb_encrypt_algorithm parameter, we recommend that you decrypt all encrypted data, change the encryption algorithm, and then encrypt the data again.

Prerequisites

The RDS edition, storage type, and database engine version of the RDS instance must meet one of the following requirements:
- The RDS instance runs MySQL 8.0 (with a minor engine version of 20191015 or later) on RDS Cluster Edition or High-availability Edition with local and cloud disks
- The RDS instance runs MySQL 5.7 (with a minor engine version of 20191015 or later) on RDS Cluster Edition or High-availability Edition with local and cloud disks
- The RDS instance runs MySQL 5.6
Note
- If your RDS instance uses cloud disks, you can also use the cloud disk encryption feature to encrypt data on the RDS instance. For more information, see Use the cloud disk encryption feature.
- For more information about how to update the minor engine version, see Update the minor engine version.
Your Alibaba Cloud account is used to authorize ApsaraDB RDS to access KMS. For more information, see Authorize an ApsaraDB RDS for MySQL instance to access KMS.
KMS is activated. If KMS is not activated, you can activate KMS when you enable TDE.

Usage notes

After you enable TDE, you cannot disable TDE or change the key that is used for TDE. In this case, the CPU utilization of your RDS instance significantly increases.
Instance switchover: When TDE is enabled, the RDS instance restarts and an instance switchover is triggered. We recommend that you enable the TDE feature during off-peak hours and make sure that your application is configured to automatically reconnect to your RDS instance. For more information about the impacts of an instance switchover, see Impacts of an instance switchover.
Code modification: After you enable TDE, the size of data files does not increase. You can use TDE without the need to modify the application code or configurations.
Data restoration: After TDE is enabled for an instance, data of the instance cannot be restored to another instance in a different region. If you want to restore the data to an on-premises database after you enable TDE, you must decrypt the data on your RDS instance. For more information, see Decrypt data.
Minor engine version: We recommend that you update the minor engine version of your RDS instance to the latest version to ensure the stability of the instance. If read-only RDS instances are attached to your RDS instance, we recommend that you update the minor engine versions of your RDS instance and all the read-only RDS instances to the latest version. For more information, see Update the minor engine version.
Configuration change: If you enable TDE for an RDS instance that runs RDS High-availability Edition, the instance cannot be upgraded to RDS Cluster Edition.
Custom key: If you use an existing custom key for TDE, take note of the following items:
- If you disable the key, configure a plan to delete the key, or delete the key material, the key becomes unavailable. The key also becomes unavailable if the corresponding KMS instance expires or is deleted.
- If your RDS instance restarts after you revoke the key, your RDS instance becomes unavailable.
- You must use your Alibaba Cloud account or an account that has the AliyunSTSAssumeRoleAccess permission.
- If the key or the corresponding KMS instance becomes unavailable, the data of the RDS instance cannot be restored.
Note
For more information about KMS, see What is KMS?

Enable TDE

You can use an automatically generated key to enable TDE. You can also use a custom key and authorize ApsaraDB RDS to access KMS.

Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.
In the left-side navigation pane, click Data Security.
On the TDE tab, turn on TDE Status.
In the dialog box that appears, select the required encryption key type:
- Use Automatically Generated Key: The key encryption key (KEK) used by this method is the service key that is provided by KMS.
- Use Existing Custom Key: A custom key is used. If you do not have a custom key, you must click go to the KMS console to create a custom key and import your own key material. For more information, see Create a CMK.
Click OK.

Use TDE to encrypt and decrypt data

Encrypt data

Decrypt data

If you want to encrypt tables on an RDS instance, you must log on to the RDS instance and execute the required statements.

Note

After you enable TDE, existing data tables are not automatically encrypted. You must execute the required statements to encrypt data.

MySQL 5.6

alter table <tablename> engine=innodb,block_format=encrypted;

MySQL 5.7 or MySQL 8.0
```
alter table <tablename> encryption='Y';
```

If you want to decrypt tables on an RDS instance, you must log on to the RDS instance and execute the required statements.

MySQL 5.6

alter table <tablename> engine=innodb,block_format=default;

MySQL 5.7 or MySQL 8.0
```
alter table <tablename> encryption='N';
```

FAQs

After I enable TDE, can I use common database tools such as Navicat?
Yes, after you enable TDE, you can use common database tools such as Navicat.
After I enable TDE, can I migrate data from my RDS instance to a different RDS instance?
Yes, after you enable TDE, you can migrate data from your RDS instance to a different RDS instance.
After I enable TDE, why is my data still in plaintext?
After you enable TDE, your data is stored in ciphertext. However, when the data is queried, it is decrypted and then loaded in plaintext to the memory. TDE encrypts backup files to prevent data leaks. Before you restore the data of your RDS instance from an encrypted backup file to your computer, you must decrypt the file.

References

If you want to encrypt the connections to an RDS instance, you can enable the SSL encryption feature. For more information, see Configure the SSL encryption feature.
For more information about KMS, see What is KMS?
TDE test report
Configure TDE for an ApsaraDB RDS for SQL Server instance
Configure TDE for an ApsaraDB RDS for PostgreSQL instance

Related operations

Operation	Description

Operation	Description
ModifyDBInstanceTDE	Enables TDE for an RDS instance. To enable TDE for an RDS instance, you must set the TDEStatus parameter to Enabled and configure other parameters based on your business requirements.