Tair (Redis OSS-compatible) supports transparent data encryption (TDE), which encrypts and decrypts RDB data files. You can enable TDE on the console to automatically encrypt and decrypt RDB data to enhance data security and meet compliance requirements.
Prerequisites
-
The instance must be a memory-optimized Tair (Enterprise Edition) instance.
-
The instance version must be within the supported range. For instructions on updating the minor version, see Update the minor version of an instance.
-
For a classic instance, the minor version must be 1.7.1 or later.
-
For a cloud-native instance, the major version must be 6.0 or later and the minor version must be 25.12.2.0 or later.
-
Background
The TDE feature for Tair (Redis OSS-compatible) encrypts RDB data files before writing them to disk and decrypts them when reading them into memory. This feature does not require additional storage space or changes to your client applications.
Figure 1. TDE encryption
Impacts
Once enabled, TDE cannot be disabled. Before enabling this feature, evaluate the following impacts on your services:
Cloud-native instances
-
You can convert the instance to a global multi-active instance.
-
You can use DTS to perform full and incremental data synchronization.
-
You can migrate the availability zone.
-
Offline full key analysis is not supported.
-
You cannot restore a TDE-enabled instance from the recycle bin.
Classic instances
-
Availability zone migration is not supported.
-
Offline full key analysis is not supported.
-
Conversion to a global multi-active instance is not supported.
-
Data migration or synchronization using DTS is not supported.
Notes
-
You cannot control TDE at the key or database (DB) level.
-
TDE encrypts data persistence files (RDB backup files), such as dump.rdb.
-
Key Management Service (KMS) generates and manages the keys used for TDE. Tair (Redis OSS-compatible) does not provide the keys or certificates required for encryption.
-
You cannot restore a TDE-enabled instance from the recycle bin.
Procedure
Log on to the console and go to the Instances page. In the top navigation bar, select the region in which the instance is deployed. Then, find the instance and click its ID.
-
In the navigation pane on the left, click TDE Settings.
-
Turn on the switch next to TDE Status.
NoteIf the minor version of the instance is earlier than the required version, the switch is disabled. For instructions on viewing and updating the minor version, see Update the minor version and proxy version of an instance.
-
In the dialog box that appears, select Use Automatically Generated Key or Use Custom Key, and then click OK.
NoteThe first time you enable TDE, you must authorize the AliyunRdsInstanceEncryptionDefaultRole role.
To learn how to create a custom key, see Key Management Service (KMS).
After you configure the settings, the instance status changes to Modifying TDE. The operation is complete when the status changes to Running.
API reference
|
API |
Description |
|
Enables TDE for an instance. You can use an automatically generated key or a custom key. |
|
|
Checks if TDE is enabled for an instance. |
|
|
Lists the custom keys available for TDE. |
|
|
Retrieves the details of a custom key used for TDE. |
|
|
Checks if the instance is authorized to use Key Management Service (KMS). |
FAQ
-
Q: How do I decrypt an encrypted RDB data file that I have downloaded?
A: You cannot decrypt it directly. Instead, restore the backup set to a new instance. After the restoration, the data is automatically decrypted.
-
Q: Why is the data retrieved by my client displayed in plaintext?
A: TDE encrypts data only when it is written to disk as RDB backup files. Client queries read data from memory, and data in memory is not encrypted. Therefore, the data appears in plaintext.