Encrypting a DDS DB Instance
Overview
After encryption is enabled, disk data will be encrypted and stored on the server when you create a DB instance or expand disk capacity. When you download encrypted objects, the encrypted data will be decrypted on the server and displayed in plaintext.
Restrictions
- The KMS Administrator right must be added in the region of RDS using IAM. For details about how to assign permissions to user groups, see "How Do I Manage User Groups and Grant Permissions to Them?" in Identity and Access Management User Guide.
- To use a user-defined key to encrypt objects to be uploaded, create a key using DEW. For details, see .
- Once the disk encryption function is enabled, you cannot disable it or change the key after a DB instance is created. The backup data stored in OBS will not be encrypted.
- After a Document Database Service (DDS) DB instance is created, do not disable or delete the key that is being used. Otherwise, DDS will be unavailable and data cannot be restored.
- If you scale up a DB instance with disks encrypted, the expanded storage space will be encrypted using the original encryption key.
Using KMS to Encrypt a DB Instance (on the Console)
When you purchase a DB instance in DDS, you can set Disk Encryption to Enable and use the key provided by KMS to encrypt the disk of the DB instance. For more information, see .
Using KMS to Encrypt a DB Instance (Through an API)
You can also call the required API of DDS to purchase encrypted DB instances. For details, see Document Database Service API Reference.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.