Help Center> Data Encryption Workshop> Best Practices> Using KMS to Encrypt and Decrypt Data for Cloud Services> Encrypting a DDS DB Instance
View PDF

Encrypting a DDS DB Instance

Overview

After encryption is enabled, disk data will be encrypted and stored on the server when you create a DB instance or expand disk capacity. When you download encrypted objects, the encrypted data will be decrypted on the server and displayed in plaintext.

Restrictions

  • The KMS Administrator right must be added in the region of RDS using IAM. For details about how to assign permissions to user groups, see "How Do I Manage User Groups and Grant Permissions to Them?" in Identity and Access Management User Guide.
  • To use a user-defined key to encrypt objects to be uploaded, create a key using DEW. For details, see Creating a CMK.
  • Once the disk encryption function is enabled, you cannot disable it or change the key after a DB instance is created. The backup data stored in OBS will not be encrypted.
  • After a Document Database Service (DDS) DB instance is created, do not disable or delete the key that is being used. Otherwise, DDS will be unavailable and data cannot be restored.
  • If you scale up a DB instance with disks encrypted, the expanded storage space will be encrypted using the original encryption key.

Using KMS to Encrypt a DB Instance (on the Console)

When you purchase a DB instance in DDS, you can set Disk Encryption to Enable and use the key provided by KMS to encrypt the disk of the DB instance. For more information, see Buy a Cluster Instance.

Figure 1 Encrypting data in DDS

Using KMS to Encrypt a DB Instance (Through an API)

You can also call the required API of DDS to purchase encrypted DB instances. For details, see Document Database Service API Reference.