Use TDE to encrypt and decrypt tables or indexes - ApsaraDB RDS

This topic describes how to enable the Transparent Data Encryption (TDE) feature for your ApsaraDB RDS for PostgreSQL instance. You can use TDE to perform real-time I/O encryption and decryption on data files, perform data-at-rest encryption at the database layer to prevent attackers from bypassing databases to read sensitive information from storage. This effectively improves the security of sensitive data in databases.

Prerequisites

Your RDS instance meets the following requirements:
- The RDS instance runs PostgreSQL 10 or later.
- The RDS instance uses cloud disks.
- The minor engine version is 20221030 or later. For more information about how to view the minor engine version of your RDS instance, see Update the minor engine version.
- If read-only RDS instances are attached to your RDS instance, make sure that the read-only RDS instances also meet the preceding requirements.
Note
For more information, see Update the minor engine version.
Your Alibaba Cloud account is used to authorize ApsaraDB RDS to access Key Management Service (KMS). For more information, see Authorize an ApsaraDB RDS for MySQL instance to access KMS.
KMS is activated. If KMS is not activated, you can activate KMS when you enable TDE.

Usage notes

If a read-only RDS instance is attached to your RDS instance, make sure that the minor engine versions of the primary RDS instance and the read-only RDS instance are 20221030 or later. Otherwise, TDE cannot be enabled.
When TDE is enabled, the RDS instance restarts and an instance switchover occurs. To minimize the impacts, we recommend that you arrange your business before the restart of the RDS instance. Proceed with caution. For more information about the impacts of an instance switchover, see Impacts of an instance switchover.
After you enable TDE, you cannot disable TDE.
After TDE is enabled, database performance may be affected in I/O bound workload scenarios.
If TDE is enabled for the primary RDS instance, streaming replication between the primary RDS instance and its self-managed secondary instance is not supported.
If KMS is overdue, the cloud disks of your RDS instance cannot be decrypted and the instance becomes unavailable. Make sure that KMS runs as normal.
If you use an existing custom key for TDE, take note of the following items:
- If you disable or delete the custom key, the RDS instance cannot run as expected. The affected operations include creating a snapshot, restoring data by using a snapshot, and rebuilding a secondary RDS instance.
- If you restart your RDS instance after you disable the custom key, your RDS instance becomes unavailable.
- You must use an Alibaba Cloud account or an account to which the AliyunSTSAssumeRoleAccess policy is attached.
Note
For more information, see What is KMS?

Enable TDE

Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.
In the left-side navigation pane of the page that appears, click Data Security.
On the TDE tab, turn on TDE Status.
In the dialog box that appears, select a key type and click OK.
- Use Automatically Generated Key: The key encryption key (KEK) used by this method is the service key that is provided by KMS.
- Use Existing Custom Key: The KEK used by this method is the customer master key (CMK) that you upload to KMS. If you do not have a custom key, you need to click go to the KMS console to create a custom key and import your own key material. For more information, see Create a CMK.
Note
For more information about encryption principles, see Overview.
Optional. Replace a key.
1. On the TDE tab, click Replace key to the right of TDE Status.
2. In the dialog box that appears, select Use Automatically Generated Key or Use Existing Custom Key and click OK.

Use TDE to encrypt or decrypt a table or an index

After TDE is enabled for your RDS instance, you must use TDE to encrypt or decrypt tables on the RDS instance.

Note

Encryption and decryption may cause performance loss. We recommend that you select an appropriate encryption range to minimize performance loss.

Encryption

Global configurations
In the ApsaraDB RDS console, set the rds_default_table_encryption parameter to on. After this parameter is enabled, new tables and indexes are encrypted by default.
Note
- This parameter is applicable only to RDS instances that run PostgreSQL 13, PostgreSQL 14, and PostgreSQL 15. For more information, see Modify the parameters of an ApsaraDB RDS for PostgreSQL instance.
- If this parameter is not found, update the minor engine version of the RDS instance to the latest version and try again. For more information about how to update the minor engine version, see Update the minor engine version.
- If you change the value of the rds_default_table_encryption parameter from on to off, the change takes effect only on new tables or indexes. The encrypted tables and indexes that are created before the change are not affected.

Encrypt tables and indexes

Encrypt a table.

-- Create an encrypted table.
CREATE TABLE <tablename> WITH (encryption=on);

-- Set the encryption parameter to on for a table.
ALTER TABLE <tablename> SET (encryption=on);

Encrypt an index.

-- Create an encrypted index.
CREATE INDEX <indexname> ... WITH (encryption=on);

-- Set the encryption parameter to on for an index.
ALTER INDEX <indexname> SET (encryption=on);

Note

The following types of indexes can be encrypted: B-tree, hash, SP-GiST, GIN, GiST, and BRIN.

Decryption

Note

The following ALTER statements trigger the rewriting of a table or an index, which is similar to the VACUUM FULL statement. We recommend that you execute the following statements during off-peak hours.

Decrypt an encrypted table.

ALTER TABLE <tablename> SET (encryption=off);

Decrypt an encrypted index.

ALTER INDEX <indexname> SET(encryption=off);

View the encryption status of a table or an index

SELECT relname, reloptions FROM pg_class WHERE relname IN ('<tablename>', '<indexname>');

FAQ

After I enable TDE, can I use common database tools such as pgAdmin?
Yes, you can use common database tools such as pgAdmin after you enable TDE.
After I enable TDE, can I migrate data from my RDS instance to a different RDS instance?
Yes, you can migrate data from your RDS instance to a different RDS instance after you enable TDE.
After I enable TDE, why is my data still in plaintext?
After you enable TDE, your data is stored in ciphertext. However, when the data is queried, it is decrypted and loaded in plaintext to the memory. TDE encrypts backup files to prevent data leaks. Before you can use an encrypted backup file to restore the data of your RDS instance to your computer, you must decrypt the file.

References

For more information, see What is KMS?
For more information about how to modify the value of the rds_default_table_encryption parameter, see Modify the parameters of an ApsaraDB RDS for PostgreSQL instance.
For more information about how to use the rds_tde_utils extension to encrypt and decrypt multiple indexes, tables, and database objects at a time, see Use the rds_tde_utils extension to encrypt and decrypt multiple data records at a time.
For more information about how to encrypt the connections to an RDS instance by using SSL, see SSL encryption.
For more information about how to encrypt sensitive data columns in database tables by using the always-confidential database feature, see Always-confidential database. After encryption, sensitive data is transmitted, computed, and stored in ciphertext.
For more information about how to enable TDE by calling an operation, see the following table.
Operation
Description
ModifyDBInstanceTDE
Enables TDE for an instance.

Operation	Description
ModifyDBInstanceTDE	Enables TDE for an instance.