Help Center> Relational Database Service> User Guide> Working with RDS for SQL Server> Data Security> Performing a Server-Side Encryption
View PDF

Performing a Server-Side Encryption

Introduction

The RDS console supports server-side encryption with Data Encryption Workshop (DEW)-managed keys.

DEW uses a third-party hardware security module (HSM) to protect keys, enabling you to create and control encryption keys easily. Keys are not displayed in plaintext outside HSMs, which prevents key disclosure. With DEW, all operations on keys are controlled and logged, and usage records of all keys can be provided to meet regulatory compliance requirements.

After server-side encryption is enabled, disk data will be encrypted and stored on the server when you create a DB instance or expand disk capacity. When downloading the encrypted objects, the encrypted data will be decrypted on the server and displayed in plaintext to you.

Encrypting Disks Using Server-Side Encryption

To perform a server-side encryption, you need to first create a key using Data Encryption Workshop (DEW) or use the default key provided by DEW. When creating a DB instance, select Enable for Disk Encryption and select or create a key. The key is the end tenant key and is used for server-side encryption to ensure disk security. When you are creating a DB instance, enable the disk encryption and create a key. The key is the tenant key. For details, see Buying a DB Instance.

  • The KMS administrator permission has been added in the region of RDS using Identity and Access Management (IAM). On the IAM console, add permission policies to user groups. For details, see Creating a User Group and Assigning Permissions.
  • If you want to use a user-defined key to encrypt objects to be uploaded, create a key using DEW. For details, see Creating a CMK.
  • Once the DB instance is created, you cannot modify the disk encryption status or change the key. The backup data stored in OBS will not be encrypted.
  • After an RDS DB instance is created, do not disable or delete the key that is being used. Otherwise, the DB instance will be unavailable and data cannot be restored.
  • If you scale up a DB instance with disks encrypted, the expanded storage space will be encrypted using the original encryption key.
Parent topic: Data Security