Starting January 15, 2024, user-defined customer master keys (CMKs) that are used for cloud disk encryption are no longer provided when you create ApsaraDB RDS instances that run MySQL or PostgreSQL with cloud disks and use the general-purpose instance type.
Effective date
January 15, 2024
Involved instances
RDS instances that run MySQL and PostgreSQL
Description
The cloud disk encryption feature is adjusted for RDS instances that run MySQL and PostgreSQL with cloud disks.
If you create an RDS instance that uses the general-purpose instance type and cloud disks, you can select only the default service CMK to enable the cloud disk encryption feature for the RDS instance.
If you create an RDS instance that uses the dedicated instance type and cloud disks, you can select the default service CMK or a CMK to enable the cloud disk encryption feature for the RDS instance.
The default service CMK is a service key managed by ApsaraDB RDS and is permanently valid.
Impacts
If an existing RDS instance uses the general-purpose instance type and uses a user-defined CMK for cloud disk encryption, the connections to the RDS instance and the operations such as data reads and writes, data migration, and storage capacity expansion on the RDS instance are not affected. However, if you want to change the specifications of the RDS instance, clone the RDS instance, or create read-only RDS instances for the RDS instance, you must upgrade the instance type of the RDS instance to a dedicated instance type. When you change the specifications of an RDS instance, you can change the storage type or instance type or reduce the storage capacity of the RDS instance.
If an existing RDS instance uses the dedicated instance type and a CMK for cloud disk encryption and you want to change the instance specifications, clone the RDS instance, or create read-only RDS instances, the new instance type of the instance can only be the dedicated instance type.
If you call the CreateDBInstance operation to create an RDS instance that uses the general-purpose instance type and cloud disks, you can set the EncryptionKey parameter only to a service key ID. You can also create an instance that uses a service key for cloud disk encryption by specifying the RoleARN parameter.
References
For more information about the general-purpose and dedicated instance types, see Primary ApsaraDB RDS instance types.
For more information about Key Management Service (KMS), see What is KMS?