To enhance the security of your stored data, you can enable the disk encryption feature to encrypt the entire data disk at no additional cost. This feature introduces minimal performance overhead on the instance and ensures data security even in the event of data or backup leaks. After you enable this feature for an instance, your application can access the data in the instance without requiring modifications. Additionally, all data in the snapshot backups of the instance remains encrypted.
Overview
How it works
Disk encryption leverages the industry-standard AES-256 encryption algorithm to secure the entire data disk. Once enabled, data is automatically encrypted upon writing to the disk and stored as ciphertext. Authorized users can read the decrypted data from the disk without the need to change the code of their applications. For more information about the encryption principles, see Encrypt cloud disks.
Encryption keys
The keys used by the disk encryption feature are provided by Key Management Service (KMS). You can encrypt your data disk by using different types of keys provided by KMS, including the default keys (service keys and customer master keys), software-protected keys, and hardware-protected keys.
In most cases, you can opt for the default key that can be either a service key or a custom master key (CMK). This key type is free of charge but is limited in quantity. Each user can have only one CMK and only one service key for RDS within the same region. If you want to use multiple keys to encrypt different RDS instances or use more key-related features (such as credential management and signing), you can purchase a software key management or hardware key management KMS instance and create keys based on your requirements. For more information, see acquire software or hardware key instances and Instance selection.
Key type | Encryption algorithm | Cost | Created by | Key material source | Description | |
Default key | Service key | AES_256 | Free of charge | Created and managed by the corresponding Alibaba Cloud service | A service key cannot be deleted or disabled. Each user can have only one service key for RDS within the same region. | |
CMK | User | Generated by KMS or uploaded by the user | You can manage your CMK through its lifecycle. Each user can have only one CMK with in the same region. | |||
Software-protected key | Multiple algorithms. For more information, see Instance selection | Charged | User | Generated by KMS | You can manage a software- or hardware-protected key through its lifecycle. You can create multiple software- or hardware-protected keys. | |
Hardware-protected key | User | Generated by KMS or uploaded by the user | ||||
Prerequisites
To enable disk encryption for an instance, the instance must meet the following requirements:
The storage type of the instance is ESSD, General ESSD, or Standard SSD.
The billing method of the instance is not serverless. Serverless RDS instances do not support disk encryption.
To use disk encryption, you must use your Alibaba Cloud account to authorize RDS to access KMS. For more information, see Authorize ApsaraDB RDS to access KMS.
Billing
Disk encryption is provided at no additional cost. You are not charged additional fees when you perform read or write operations on the disk of an instance for which disk encryption is enabled.
The keys used to encrypt disks are managed by KMS. You are charged for some types of keys.
Default keys (service keys and CMKs): Free of charge.
Software- and hardware-protected keys: Charged by KMS. For more information, see What is KMS?
Usage notes
Once enabled, disk encryption cannot be disabled.
Code modification: Disk encryption does not impact your business running on the RDS instance. You do not need to change the code of your application to access data in an RDS instance for which disk encryption is enabled.
Instance disconnection: A primary/secondary switchover is performed when you enable disk encryption for an existing instance or change the encryption key of an instance. During the switchover, the connection to the instance is interrupted for no more than 30 seconds. Make sure that your application can automatically reconnect to the instance.
Backup and recovery: After disk encryption is enabled for an instance, the instance does not support backup within seconds, cross-region backup, or backup download. The snapshot backups of the instance and the instances created from these backups remain encrypted.
Limits on keys: The KMS keys that can be used for disk encryption vary with the instance type. If you disable or delete the keys used for disk encryption, or your have overdue payments for KMS, the instance for which disk encryption is enabled cannot run properly.
Limits on key selection: General-purpose instances support only service keys for disk encryption, while dedicated instances support service keys or other types of custom keys.
Impact of KMS overdue payments: If you use chargeable keys (software- or hardware-protected keys) for disk encryption and you have overdue payments for KMS, the disks of the instances encrypted with these keys cannot be decrypted and the instance becomes unavailable. In this case, renew your KMS instances.
Impact of disabling or deleting keys: If you disable or delete keys that can be managed within their lifecycle (such as CMKs, software-protected keys, or hardware-protected keys) for an instance, the instance is locked and becomes unavailable. In this case, you cannot perform O&M operations, such as data backup, specification change, restart, and HA switchover, on the instance.
Enable disk encryption
Enable disk encryption when an instance is created
Go to the ApsaraDB RDS for MySQL buy page. Select the Standard Creation tab.
Select ESSD or General ESSD for Storage Type and then select Cloud Disk Encryption.
Select the key used for disk encryption.
To use a service key (free of charge), you can select Default Service CMK regardless of whether you have created a service key in the current region.
To use an existing CMK (free of charge), software-protected key (chargeable), or hardware-protect key (chargeable), select the key from the drop-down list. If the key does not exist, you can click create now to create a key in the KMS console.
NoteIf no service key exists in the current region, a service key with the alias alias/acs/rds is automatically created after you select Default Service CMK.
If a service key with the alias alias/acs/rds already exists in the current region, the service key is used for disk encryption by default. Only one service key is available for a service within the same region.
After you create the instance, you can go to the Instances page and click the ID of the instance. On the details page of the instance, check whether an encryption key is displayed in the Basic Information section. If an encryption key is displayed, disk encryption is enabled for the instance.
Enable disk encryption for an existing instance
The enabling of disk encryption for an existing instance results in a primary/secondary switchover. During the switchover, the connection to the instance may be interrupted for no more than 30 seconds. Make sure that your application can automatically reconnect to the instance.
Go to the Instances page of the RDS console, select the region of the instance in the top navigation bar. Then, click the ID of the instance for which you want to enable disk encryption.
In the left-side navigation pane, click Data Security.
On the page that appears, click the Data Encryption tab. Then, click Enable Cloud Disk Encryption.
On the dialog box that appears, select the encryption key and click OK. The status of the instance changes to Modifying Parameters.
Wait until the instance status changes to Running and the encryption information is displayed on the Data Encryption tab. Disk encryption is enabled for the instance.
Change the encryption key
If disk encryption is enabled for a dedicated RDS for MySQL instance, you can perform the following steps to change the key used for disk encryption. You cannot change the encryption key of a general-purpose instance.
The change of encryption key results in a primary/secondary switchover. During the switchover, the connection to the instance may be interrupted for no more than 30 seconds. Make sure that your application can automatically reconnect to the instance.
Go to the Instances page of the RDS console, select the region of the instance in the top navigation bar. Then, click the ID of the instance for which you want to change the encryption key.
In the left-side navigation pane, click Data Security.
On the page that appears, click the Data Encryption tab. Then, click Replace Key.
On the Change Encryption Key of Data Disk dialog box, select the new key and click OK.
References
For the differences between transparent data encryption (TDE), disk encryption, and always confidential database, see Comparison of different database encryption methods.
For more information about how to use disk encryption on RDS instances that run other database engines, see the following topics:
For more information about the API operation that can be called to query the disk encryption status and the encryption key of an instance, see DescribeDBInstanceEncryptionKey.