Setting Up TDE in MySQL RDS

Transparent Data Encryption (TDE) is a technology used to encrypt databases by offering encryption at file level. If you have critical and sensitive data, TDE can help protect the privacy of your information and prevent data breaches by enabling data-at-rest encryption in the database. TDE helps you meet various regulatory requirements including PCI DSS and HIPAA.

Image for post
Image for post

Source: https://www.mysql.com/products/enterprise/tde.html

According to MySQL, “TDE enables data-at-rest encryption by encrypting the physical files of the database. Data has encrypted automatically, in real time, prior to writing to storage and decrypted when read from storage. As a result, hackers and malicious users are unable to read sensitive data from tablespace files, database backups or disks. RDS TDE uses industry standard AES algorithms.”

TDE Basics

  1. Increase the size of the data file.
  2. Require developers to make any code changes to use TDE.

Alibaba Cloud ApsaraDB for RDS fully supports TDE for MySQL. In this article, we will look at setting up TDE for MySQL on Alibaba Cloud.

Note: TDE is currently only applicable to SQL Server 2008 R2 and MySQL 5.6. To view or modify TDE settings, you need to log in with an Alibaba Cloud account rather than a RAM account.

Prerequisites

  1. The RDS is based on either MySQL 5.6 or MS SQL 2008.RDS specifications are high enough to support the overhead of encryption.

Setting Up TDE on ApsaraDB for RDS

  1. Go to the RDS Management Console, select the appropriate RDS instance.
  2. Under Security Control, TDE tab you will be able to find the option to enable TDE.
Image for post
Image for post

How Does TDE Work?

Image for post
Image for post

This feature will allow encryption of data while at rest. The encryption of data while in transit is still the responsibility of the user and is outside the purview of this document.

Encrypting Tables

alter table  engine=innodb block_format=encrypted;

Decrypting Tables

alter table  engine=innodb block_format=default;

Conclusion

Currently only SQL Server 2008 R2 and MySQL 5.6 databases support TDE, and once TDE is activated, it cannot be deactivated.

Encryption uses keys produced and managed by the Key Management Service (KMS). RDS does not provide the keys and certificates needed for encryption. After activating TDE, if the user wants to restore the data to the local device, he must use RDS to decrypt the data first.

Further Reading

  1. TDE Setup Documentation

Reference:

https://www.alibabacloud.com/blog/setting-up-tde-in-mysql-rds_593858?spm=a2c41.11832000.0.0

Written by

Follow me to keep abreast with the latest technology news, industry insights, and developer trends.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store