The cloud disk encryption feature is provided free of charge by ApsaraDB RDS for MySQL. The feature encrypts the data on each disk of your ApsaraDB RDS for MySQL instance by using block storage to ensure data security. This way, your data cannot be decrypted even if it is leaked. If you use the cloud disk encryption feature for your RDS instance, the snapshots that are created for the RDS instance are automatically encrypted, and you do not need to modify the configuration of your application. For more information about database encryption technologies, see Comparison of different database encryption technologies.
For more information about how to configure the cloud disk encryption feature for RDS instances that run different database engines, see the following topics:
Prerequisites
Your RDS instance is being created. The cloud disk encryption feature cannot be enabled after your RDS instance is created. For more information, see Create an ApsaraDB RDS for MySQL instance.
Your RDS instance is created in standard mode.
Your RDS instance uses cloud disks. For more information, see Storage types.
Your RDS instance runs RDS High-availability Edition or RDS Cluster Edition. For more information, see Overview of ApsaraDB RDS editions.
Billing rules
The cloud disk encryption feature is provided free of charge. You are not charged for the read and write operations that you perform on the encrypted cloud disks.
Limits
The single-digit second backup and cross-region backup features are not supported for RDS instances for which the cloud disk encryption feature is enabled. For more information, see Use the cross-region backup feature.
Usage notes
You cannot disable the cloud disk encryption feature after you enable the feature.
The cloud disk encryption feature does not interrupt your business, and you do not need to modify your application.
If you enable the cloud disk encryption feature for your RDS instance, the snapshots that are created for the RDS instance are automatically encrypted. If you use the encrypted snapshots to create an RDS instance that uses cloud disks, the cloud disk encryption feature is automatically enabled for the new RDS instance.
If your Key Management Service (KMS) is overdue, the cloud disks of your RDS instance become unavailable. Make sure that your KMS can provide services as normal. For more information, see What is KMS?
If you disable or delete the KMS key that is used for cloud disk encryption, your RDS instance cannot run as expected. In this case, your RDS instance is locked and cannot be accessed. In addition, you cannot perform all O&M operations on the RDS instance. For example, you cannot perform backups, change instance specifications, clone and restart the RDS instance, perform a high-availability switchover, and modify instance parameters. To prevent these issues, we recommend that you use the default service customer master key (CMK) that is managed by ApsaraDB RDS. The default service CMK is a service key.
If you create an RDS instance that uses the general-purpose instance type and cloud disks, you can select only Default Service CMK to enable the cloud disk encryption feature for the RDS instance. If you create an RDS instance that uses the dedicated instance type and cloud disks, you can select Default Service CMK or a CMK to enable the cloud disk encryption feature for the RDS instance. For more information, see [Product changes/Feature changes] The cloud disk encryption feature of ApsaraDB RDS is adjusted from January 15, 2024.
Check whether the cloud disk encryption feature is enabled for an RDS instance
Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.
In the Basic Information section, check whether the Key parameter exists. If the parameter exists, the cloud disk encryption feature is enabled for the RDS instance.
Enable the cloud disk encryption feature for an RDS instance
When you create an RDS instance that meets the requirements described in Prerequisites, you can select Cloud Disk Encryption after you select the instance storage type, and then configure the Key parameter. We recommend that you keep the default value of the Key parameter (Default Service CMK). For more information, see Create an ApsaraDB RDS for MySQL instance.
For more information about how to create a key, see Create a key.
After the RDS instance is created, you can go to the Basic Information page of the RDS instance and view the key that is used for cloud disk encryption.
In the KMS console, you can view all keys within the current account. In the left-side navigation pane of the KMS console, click Keys. On the page that appears, click the Default Key tab and find the key that you want to view. If the value in the Key Usage column is Service Key, the key is a service key managed by an Alibaba Cloud service. The alias of the service key managed by ApsaraDB RDS is
alias/acs/rds. If you do not find the key, no service key has been created in the region. If you enable the cloud disk encryption feature and select Default Service CMK during the instance creation in the ApsaraDB RDS console, the system automatically creates a service key.The key specification of the default service CMK is
Aliyun_AES_256. The key rotation feature is disabled by default. If you want to enable the key rotation feature, purchase the key rotation feature in the KMS console. For more information, see Configure key rotation.
Change the key for cloud disk encryption
If your instance is a dedicated RDS for MySQL instance and cloud disk encryption is enabled for the instance, you can perform the following steps to change the key for cloud disk encryption.
If you change the key for an instance, a switchover is performed and the instance becomes unavailable within a short period up to 30 seconds. Make sure that your application can automatically reconnect to the instance after the switchover.
The key for a general-purpose RDS for MySQL instance cannot be changed.
Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.
In the left-side navigation pane, click Data Security.
On the Data Encryption tab, click Replace Key.
On the Change Encryption Key of Data Disk dialog box, select Use Existing Custom Key and click OK.