How to Enable Transparent Data Encryption on Alibaba Cloud
Transparent Data Encryption (TDE) is a technology used to encrypt databases by offering encryption at file level. If you have critical and sensitive data, TDE can help protect the privacy of your information and prevent data breaches by enabling data-at-rest encryption in the database. TDE helps you meet various regulatory requirements including PCI DSS and HIPAA.
Transparent Data Encryption (TDE) can be used to perform real-time I/O encryption and decryption on instance data files. To increase data security, you can enable TDE to encrypt instance data. Data is encrypted before it is written to disk and decrypted when it is read from disk.
Alibaba Cloud ApsaraDB for RDS fully supports TDE for MySQL. In this article, we will look at setting up TDE for MySQL on Alibaba Cloud.
Note: TDE is currently only applicable to SQL Server 2008 R2 and MySQL 5.6. To view or modify TDE settings, you need to log in with an Alibaba Cloud account rather than a RAM account.
To enable TDE on Alibaba Cloud, please go to the RDS Management Console, select the appropriate RDS instance. Under Security Control, TDE tab you will be able to find the option to enable TDE.
Encrypting Tables
Log in to the database and execute the following command to encrypt the table to be encrypted.
alter table engine=innodb block_format=encrypted;Decrypting Tables
If you want to decrypt the TDE encrypted table, execute the following command.
alter table engine=innodb block_format=default;Related Blog Posts
Data Encryption at Storage on Alibaba Cloud
Alibaba Cloud products provide various methods to encrypt static data, as shown in the following table:
ProductEncryption MethodOSSOSS client-side encryption
OSS Server-side encryptionRDSSSL encryption
TDE encryptionECS DiskTo encrypt the data stored on a disk, you can use the ECS disk encryption function to encrypt cloud disks and shared block storage.
RDS supports SSL and TDE encryption.
TDE Encryption
RDS provides transparent data encryption (TDE) for MySQL and SQL Server. The TDE function of RDS for MySQL is developed by Alibaba Cloud and the TDE function of RDS for SQL Server is based on the SQL Server Enterprise Edition.
You can specify the database or table to be encrypted in a TDE-enabled RDS instance. The data of the specified database or table is encrypted before being written to any device such as an HDD, SSD, or PCIe card, or to any service such as OSS or Archive Storage. Therefore, data files and backups of the instance are all ciphertext.
TDE adopts the Advanced Encryption Standard (AES) algorithm. The key length is 128 bits. The key for TDE is encrypted and stored by KMS, and RDS dynamically reads the key only once when the instance is started or migrated. You can replace the key as needed on the KMS console.
Alibaba Cloud Now Supports Data at Rest Encryption with Bring Your Own Key (BYOK)
A BYOK model allows you to generate your own encryption keys materials and to upload the self-generated keys to your Key Management Service (KMS) on the cloud, thus giving you full control over the lifecycle of the uploaded keys. This provides your organization with continuous ownership and better control of how data are encrypted. BYOK is ideal for organizations who already have their own hardware security module (HSM) or key management system (KMS), and would like to have full control of how the keys are being generated.
Some users, especially smaller businesses, may be prefer having a cloud provider managing all aspects of data encryption for information stored on the cloud, and they can generate their own customer master key (CMK) on Alibaba Cloud’s KMS and have control over the lifecycle of the CMKs in a similar fashion as keys being uploaded via the BYOK function. Medium and large businesses, especially for those with complex organizational structures and who are subject to strict regulations on data privacy requirements, can benefit from using BYOK services.
Related Documentation
View the data encryption status of an instance
This interface only supports MySQL 5.5, MySQL 5.6, and SQL Server 2008 R2.
Modify the data encryption status of an instance
This interface only supports MySQL 5.6 and SQL Server 2008 R2:
- MySQL 5.6 supports only TDE enabling of instances, and does not accept the value of DBName. After activating TDE, if you want to recover data to a local server, decrypted the data through RDS first.
- Before activating TDE, you need to activate KMS. If you have not activated KMS, you can activate it according to the guidance during the TDE activation.
- SQL Server 2008 R2 supports only TDE enabling and disabling of databases. When TDE is enabled on a database, the TDE status of the related instance is changed (can only be enabled).
- For MySQL 5.6, you can enable TDE only for instances. Therefore, the value of DBName is not accepted.
After TDE is enabled, it cannot be disabled. TDE also results in considerable increase in CPU usage.
Related Products
MySQL is one of the most popular open-source databases in the world. As a key component of the open-source software bundle LAMP (Linux, Apache, MySQL, and Perl/PHP/Python), MySQL has been widely applied to different scenarios.
Alibaba Cloud offers a set of fully managed, less trouble, and optimized database services that fully support open-source database engines.
Our database services automatically and continuously manage and monitor your database health and hardware securely. Whenever issues are detected on your database, Alibaba Cloud will locate it and fix it for you. You no longer need to worry about the issues and enjoy a great experience throughout the life of the database.
