Configure transparent data encryption (TDE)

更新时间:
复制 MD 格式

PolarDB for PostgreSQL provides the transparent data encryption (TDE) feature. TDE performs real-time I/O encryption and decryption of data files. Data is encrypted before it is written to disk and decrypted when it is read from disk into memory. TDE does not increase the size of data files, and developers can use the TDE feature without changing any applications.

Prerequisites

  • KMS is activated. For more information, see Purchase a Dedicated KMS instance.

  • PolarDB is authorized to access KMS. For more information, see Authorize PolarDB to access KMS.

  • Your PolarDB for PostgreSQL cluster meets the following requirements:

    • Kernel version:

      • PostgreSQL 14 (kernel revision version 2.0.14.12.23.1 or later)

      • PostgreSQL 16 (kernel revision version 2.0.16.9.6.0 or later)

      • PostgreSQL 17 (kernel revision version 2.0.17.6.4.0 or later)

      • PostgreSQL 18 (kernel revision version 2.0.18.0.1.0 or later)

    • PolarDB for PostgreSQL (Distributed Edition) clusters are not supported.

Note

You can view the kernel revision version in the console or by running the SHOW polardb_version; statement. If your cluster does not meet the kernel revision version requirement, upgrade the kernel revision version.

Background

TDE encrypts data at rest at the database layer. This prevents OS users and attackers from reading sensitive data in plaintext from tablespace files, disks, or backups. Applications and users that are authenticated by the database can continue to access application data transparently without any changes to application code or configuration.

The TDE feature of PolarDB for PostgreSQL and uses keys that are generated and managed by . PolarDB does not provide the keys and certificates required for encryption. You can use keys that are automatically generated by Alibaba Cloud, or use your own key material to generate data keys and then authorize PolarDB to use them.

Limitations

  • After TDE is enabled, it cannot be disabled.

  • For I/O bound workloads, enabling TDE might have a slight performance impact on the database.

Procedure

To enable TDE when you create a cluster, see Create a database cluster or . The following procedure describes how to enable TDE for an existing PolarDB cluster.

Important

Enabling TDE causes the PolarDB cluster to restart. Proceed with caution.

  1. Log on to the PolarDB console. In the left-side navigation pane, click Clusters. In the top navigation bar, select the region where the cluster is deployed, and then click the cluster ID.

  2. In the left-side navigation pane, choose Settings and Management > Security.

  3. On the TDE Settings tab, turn on the TDE Status switch.

    After TDE is enabled, it cannot be disabled. Proceed with caution.

  4. In the dialog box that appears, select Use Default Key CMK or Use Existing Custom Key.

    • If you select Use Default Key CMK, click OK to enable TDE.

      Important: Enabling TDE restarts the PolarDB instance and takes about 10 minutes. This operation requires a root account or an account with the AliyunSTSAssumeRoleAccess permission. The key becomes unavailable if it is disabled, scheduled for deletion, or its key material is deleted. If you revoke the authorization, the instance becomes unavailable after a restart. Only the Aliyun_AES_256 key type is supported.

    • If you select Use Existing Custom Key, select a key generated by KMS from the drop-down list and click OK to enable TDE.

      In the Configure TDE dialog box, you can also enable Automatic TDE Key Rotation, which is disabled by default. Important: Enabling TDE restarts the PolarDB instance and takes about 10 minutes. This operation requires a root account or an account with the AliyunSTSAssumeRoleAccess permission. Disabling the key renders it unavailable. If you revoke the authorization, the instance becomes unavailable after a restart. The only supported key type is Aliyun_AES_256.

Note
  • The only supported key type is Aliyun_AES_256.

  • If you use an existing custom key, the following conditions must be met:

    • The operation must be performed by a root account or an account that has the AliyunSTSAssumeRoleAccess permission.

    • Disabling the key, scheduling the key for deletion, or deleting the key material renders the key unavailable.

    • If you revoke the authorization, the PolarDB cluster becomes unavailable after a restart.

  • If you do not have a custom key, click Create Now to go to the KMS console to create a key and import your own key material. For more information, see Create a key.

Enabling TDE takes about 10 minutes to complete.

View TDE status

  1. Log on to the PolarDB console. In the left-side navigation pane, click Clusters. In the top navigation bar, select the region where the cluster is deployed, and then click the cluster ID.

  2. In the left-side navigation pane, choose Settings and Management > Security.

  3. On the TDE Settings tab, view the TDE Status switch.

Switch to a custom key

  1. Log on to the PolarDB console. In the left-side navigation pane, click Clusters. In the top navigation bar, select the region where the cluster is deployed, and then click the cluster ID.

  2. In the left-side navigation pane, choose Settings and Management > Security.

  3. On the TDE Settings tab, click the TDE Status switch.

  4. Once enabled, TDE cannot be disabled. Proceed with caution.

  5. In the dialog box that appears, select Use Existing Custom Key, select a key generated by KMS from the drop-down list, and then click OK.

    Note

    For notes about using an existing custom key, see the information in the Procedure section.

Advanced settings

Note
  • Automatic TDE key rotation is supported only when you use an existing custom key.

  • PolarDB does not update the primary key version of the custom key. You must manually update the key version or change the key rotation policy. For more information, see Key rotation.

  • After a PolarDB cluster detects that the primary key version of the custom key is updated, it rotates the TDE key during the next maintenance window. During this process, the PolarDB cluster restarts.

You can enable Automatic TDE Key Rotation in one of the following ways:

  • When you enable TDE and select to use a custom key, you can enable Automatic TDE Key Rotation in the Advanced Settings section of the Configure TDE dialog box.

    Before you enable this feature, note that automatic key rotation is supported only for custom keys. PolarDB does not automatically update the key version; you must update it manually in KMS. After you enable this feature, PolarDB rotates the TDE key and restarts the instance during the next maintenance window. Also, be aware of the following when enabling TDE: The process takes about 10 minutes and restarts the instance. It must be performed by a root account or an account with AliyunSTSAssumeRoleAccess permission. The instance becomes unavailable if the key is disabled or deleted, or if authorization is revoked and the instance is restarted. The only supported key type is Aliyun_AES_256.

  • After you enable TDE with a custom key, enable Automatic TDE Key Rotation in the Advanced Settings section on the Configure TDE tab.

FAQ

  • Can I still use common database tools, such as Navicat, after TDE is enabled?

    Yes, you can.

  • Why is data displayed in plaintext after encryption is enabled?

    When you query data, it is decrypted and read into memory, which is why it is displayed in plaintext. Data at rest is encrypted after TDE is enabled.

Related APIs

API

Description

ModifyDBClusterTDE

Enables TDE for a PolarDB cluster or modifies the encryption method.

DescribeDBClusterTDE

Queries the TDE settings of a PolarDB cluster.

CreateDBCluster

Creates a PolarDB cluster and enables TDE.

Note

The DBType parameter must be set to PostgreSQL or .