Disk encryption

Prerequisites and limitations

• You cannot manually enable disk encryption for ApsaraDB RDS for SQL Server read-only instances or Serverless instances.

• To enable disk encryption for a primary ApsaraDB RDS for SQL Server instance, the following prerequisites apply:

  • The storage type is Enhanced SSD or Premium Performance Disk.

  • The instance type is Dedicated, General-purpose, or Shared. For shared instance types, you can enable disk encryption only when you create the instance.

  • The primary instance must not have any attached read-only instances. If read-only instances are attached, you must first release the read-only instances before you can enable disk encryption. After encryption is enabled, any read-only instances you create from the primary instance will also be encrypted by default.

• After you enable disk encryption, the following limitations apply:

  • Once enabled, disk encryption cannot be disabled.

  • Key selection limits: For shared instance types, you can use only the service key managed by RDS (Default Service CMK). For general-purpose and dedicated instance types, you can use either a service key or a custom key.

Billing

• Disk encryption is available at no additional cost. You are not charged for read and write operations on encrypted disks.

• Keys for disk encryption are managed by KMS. Default keys, including service keys and master keys, are free to use. If you use a custom key, such as a software-protected or hardware-protected key, you are charged by KMS.

Precautions

• Transient disconnections: Changing a key or enabling disk encryption for an existing instance causes a transient disconnection. The instance is unavailable for approximately 30 seconds for high availability (HA) and Cluster Edition instances, and for about 5 minutes for Basic Edition instances. We recommend that you perform these operations during off-peak hours and ensure that your application has an automatic reconnection mechanism.

• Overdue KMS payments, or disabling or deleting a key, can affect instances that use disk encryption:

  • Impact of overdue KMS payments: If you use a paid key type, such as a software-protected or hardware-protected key, an overdue payment for KMS can prevent the disk from being decrypted. This renders the entire instance unavailable. To avoid this, ensure your KMS payments are up to date.

  • Impact of disabling or deleting a key: For keys whose lifecycles you can manage, such as master keys and custom keys, disabling or deleting the key will lock the RDS instance that uses it. The instance becomes inaccessible. All operations and maintenance (O&M) tasks, such as backups, configuration changes, restarts, and HA switchovers, will fail.

• The service key managed by RDS (Default Service CMK) uses the Aliyun_AES_256 specification, and the key rotation service is disabled by default. If you need to enable the key rotation service, go to the KMS console to purchase and configure it.

Enable disk encryption

Enable encryption for a new instance

1. When you create an ApsaraDB RDS for SQL Server instance, set the storage type to ESSD or premium performance disk.

2. Select Disk Encryption and choose a key.

   Note

   • To learn how to create a custom key, see Create and enable a key.

   • When you create an instance, select the Disk Encryption option before you select an instance type.

     If you are creating a shared instance type and want to enable disk encryption, you must select Default Service CMK for the key. Shared instance types can only be encrypted by using a service key.

Enable encryption for an existing instance

1. Go to the Instances page. In the top navigation bar, select the region of your instance, and then click the instance ID.

2. In the left-side navigation pane, click Data Security.

3. On the Data Encryption tab, click Enable Cloud Disk Encryption.

4. In the dialog box that appears, select a key and click OK. The instance status immediately changes to Configuration Changing.

5. After a short time, the instance status returns to Running. On the Data Encryption tab, the Data Disk Encryption status changes to Encrypted, and you can view details such as Key Name, Key Type, and Key Validity.

View disk encryption status and key details

1. Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.

2. On the Basic Information page of the instance, view the key used for disk encryption.

   Note

   • If the Basic Information page does not display a key, disk encryption was not enabled when the instance was created.

   • You can view all keys for your account in the KMS console.

     On the Key Management > Default Key tab, if Key Usage is Service Key, it is an Alibaba Cloud-managed key.

Change the key

You can change the key for an ApsaraDB RDS for SQL Server instance if disk encryption is enabled and the instance type is dedicated or general-purpose. You cannot change the key for a shared instance because it can only use a service key.

1. Go to the Instances page. In the top navigation bar, select the region of your instance, and then click the instance ID.

2. In the left-side navigation pane, click Data Security.

3. On the Data Encryption tab, click Replace Key.

4. In the Change Encryption Key of Data Disk dialog box, select a new key and click OK.

Related APIs

• Enable disk encryption during instance creation: CreateDBInstance.

• Enable disk encryption for an existing instance: ModifyDBInstanceConfig.

• Query the disk encryption status and key details of an instance: DescribeDBInstanceEncryptionKey.