Disk encryption

Features

After you enable disk encryption, the system encrypts the following data:

• Data at rest on the disk

• Data in transit between the disk and the instance (Encryption is not supported for system disks.)

• All snapshots created from the encrypted disk are also encrypted.

Notes

• You can enable disk encryption only when you create an AnalyticDB for PostgreSQL instance. This feature cannot be enabled on an existing instance.

• You cannot disable disk encryption after it is enabled.

• After you enable disk encryption, snapshots of the instance and any instances created from these snapshots are also automatically encrypted.

• Disk encryption runs transparently and does not require you to modify your applications.

• If your Key Management Service (KMS) account has an overdue payment, the encrypted disks cannot be decrypted, and the entire instance becomes unavailable. Keep your KMS account in good standing.

• If you delete or disable the KMS key in use, the data on the disks becomes permanently inaccessible, the instance becomes unavailable, and the data is lost. Do not delete or disable a KMS key that is in use.

Billing

The disk encryption feature for AnalyticDB for PostgreSQL is free of charge. You do not incur extra fees for read and write operations on encrypted disks.

Key Management Service (KMS) involves fees for key management and API calls. For more information, see KMS 1.0 billing.

Enable disk encryption

Check disk encryption status

1. Go to the AnalyticDB for PostgreSQL Instances page, select a region in the top navigation bar, and then click the ID of the target instance.

2. On the instance details page, in the Basic Information section, the presence of the Encryption Key parameter indicates that disk encryption is enabled.

Related APIs