ApsaraDB RDS:Use the cloud disk encryption feature

Prerequisites

• The cloud disk encryption feature can be enabled for an RDS instance only when you create the RDS instance. You must configure the parameters for the RDS instance based on the description in Procedure. This way, you can enable the cloud disk encryption feature for the RDS instance when you create the instance.

• The RDS instance uses the following parameter settings:

  • Edition: RDS Basic Edition, RDS High-availability Edition, and RDS Cluster Edition

  • Storage Type: enhanced SSD (ESSD) or general ESSD

Usage notes

• You cannot disable cloud disk encryption after you enable the feature.

• Cross-region backups are not supported for RDS instances for which the cloud disk encryption disk is enabled. For more information, see Use the cross-region backup feature.

• Cloud disk encryption does not interrupt your workloads, and you do not need to modify your application configurations.

• If you enable disk encryption for your RDS instance, the snapshots that are created for the instance are automatically encrypted. If you use the encrypted snapshots to create an RDS instance that uses standard SSDs or ESSDs, the disk encryption feature is automatically enabled for the new RDS instance.

• If your Key Management Service (KMS) is overdue, the cloud disks of your RDS instance become unavailable. Make sure that your KMS can provide services as normal. For more information, see What is KMS?

• If you disable or delete the key of an RDS instance in KMS, the RDS instance cannot run as expected. The RDS instance is locked and cannot be accessed. In addition, you cannot perform all O&M operations on the RDS instance. For example, you cannot perform backups, change instance specifications, clone or restart the RDS instance, perform a high-availability switchover, or modify instance parameters. To prevent these issues, we recommend that you use the default service customer master key (CMK), which is a service key managed by ApsaraDB RDS.

• If you select a general-purpose instance type for the RDS instance, only the service key that is managed by ApsaraDB RDS can be used to enable cloud disk encryption. If you select a dedicated instance type for the RDS instance, the service key that is managed by ApsaraDB RDS and the customer master key (CMK) can be used to enable cloud disk encryption. For more information, see [Product changes/Feature changes] The cloud disk encryption feature of ApsaraDB RDS is adjusted from January 15, 2024.

Procedure

1. Create a key.

   KMS is required for cloud disk encryption for an RDS instance. For more information, see Purchase and enable a KMS instance.

2. Enable the cloud disk encryption feature.

   If the prerequisites are met when you create an RDS instance, you can select Disk Encryption and then specify a key after you select the storage type. Default Service CMK is selected by default.

   

   Note

   • After the RDS instance is created, you can go to the Basic Information page of the instance and view the key that is used for disk encryption.

   • In the KMS console, you can view all keys within the current account. In the left-side navigation page of the KMS console, click Keys. On the page that appears, click the Default Key tab and then find the key that you want to view. If the value in the Key Usage column is Service Key, the key is a service key managed by an Alibaba Cloud service. The alias of the service key managed by ApsaraDB RDS is alias/acs/rds. If you do not find the key, no service key has been created in the region. When you enable the disk encryption feature and select Default Service CMK during the instance creation in the ApsaraDB RDS console, the system automatically creates a service key.

   • The key specification of the default service CMK is Aliyun_AES_256. The key rotation feature is disabled by default. If you want to enable the key rotation feature, purchase the key rotation feature in the KMS console. For more information, see Configure key rotation.