Tablestore supports server-side encryption and client-side encryption to prevent potential security risks of data in the cloud. Tablestore supports the zone-redundant storage (ZRS) storage redundancy type to allow you to store data in multiple zones to ensure high data availability and provide disaster recovery capabilities. Tablestore allows you to back up important data by using Cloud Backup to prevent accidental deletion or malicious data tampering. Tablestore supports the V4 signature algorithm to protect AccessKey pairs and reduce the risk of AccessKey pair leakage.
Data encryption
Disk encryption for static data
Tablestore supports the disk encryption feature to prevent attackers from bypassing databases. For more information, see Data encryption.
By default, the disk encryption feature is disabled. If you want to enable the disk encryption feature, turn on Encryption in the Create Table dialog box and select an encryption type.
After you enable the disk encryption feature, you cannot disable the feature. Proceed with caution.
Tablestore supports two encryption methods: encryption based on a Key Management Service (KMS) key and encryption based on Bring Your Own Key (BYOK). You must obtain the keys for both methods from KMS. You can choose a method based on your business requirements.
Encryption mode | How to use | Description |
KMS key-based encryption |
| Tablestore uses the default KMS-managed Customer Master Key (CMK) to encrypt data and automatically decrypts data when the data is being read. When you use KMS key-based encryption for the first time, Tablestore creates a KMS-managed CMK in the KMS console. You do not need to purchase a KMS instance. |
BYOK-based encryption | Tablestore SDK | After you use BYOK materials to generate a custom key in the KMS console, Tablestore can encrypt data based on your custom key. In this mode, you can manage the encryption key that you use. |
Data transmission encryption
Tablestore supports encryption based on the Transport Layer Security (TLS) protocol. Data transmission between the Tablestore server and the client is encrypted based on the TLS protocol. For more information, see Restrict the TLS versions that can be used to access a Tablestore instance.
Tablestore allows you to use methods such as custom Resource Access Management (RAM) policies and access control policies to restrict the TLS versions that can be used to access Tablestore. A later TLS version provides a more secure transmission encryption algorithm. We recommend that you use TLS 1.2 or later. For more information, see Configure a custom policy, Use custom access control policies, and Configure an instance policy.
Disaster recovery
Tablestore provides two storage redundancy types: locally redundant storage (LRS) and ZRS. If your business requires higher availability, we recommend that you store your data in a region where ZRS is supported. For more information, see ZRS.
LRS
LRS stores multiple copies of your data on multiple devices of different facilities in the same zone. LRS ensures data durability and availability in case of a hardware failure.
LRS stores copies of data in a specific zone. If the zone becomes unavailable, data in the zone is inaccessible.
ZRS
ZRS stores multiple copies of your data in multiple zones of the same region. If one of the zones is unavailable, your data is still accessible.
ZRS provides disaster recovery at the data center level. If a data center becomes unavailable due to a network interruption, power failure, or disaster, Tablestore can still ensure data consistency. The entire fault handling process is user-imperceptible and can be performed without business interruption and data loss. It can also meet the requirements of key business systems for a recovery point objective (RPO) of 0 and a recovery time objective (RTO) of 0.
Data backup and restoration
Tablestore allows you to use Cloud Backup to back up and restore data. The data backup feature is suitable for the following scenarios: disaster recovery, restoration upon accidental deletion or malicious tampering, data versioning, legal compliance, and data migration. For more information, see Overview.
Cloud Backup is a unified platform that is developed by Alibaba Cloud for backup and disaster recovery. Cloud Backup is an easy-to-use data management service that is deployed on the public cloud to offer high agility, efficiency, security, and reliability. You can use Cloud Backup to back up data to a backup vault from Elastic Computing Service (ECS) instances, ECS databases, file systems, NAS clusters, OSS buckets, Tablestore instances, and data centers that store files, databases, virtual machines (VMs), and large-scale NAS file systems. You can also use the backup data for disaster recovery and archive data based on the archive policies that you configure for the preceding resources. For more information, see What is Cloud Backup?
To prevent important data from becoming unavailable due to accidental deletion or malicious tampering, you can use the data backup feature in the Tablestore console to back up data in tables in the Wide Column model of Tablestore instances on a regular basis and restore lost or damaged data at the earliest opportunity. For more information, see Back up data in Tablestore, Restore data to Tablestore, and Specify an alert notification method for a backup plan.
AccessKey pair security
The Tablestore client uses the V4 signature algorithm to generate a derived key from the AccessKey pair of an Alibaba Cloud account or a RAM user. Then, the Tablestore client uses the derived key to initiate a request. When the Tablestore server receives the request, the server uses the derived key to authenticate the user. This prevents the AccessKey pair from being transmitted during the authentication process and reduces the risk of AccessKey pair leakage. For more information, see AccessKey pair security.