Converting an Ordinary Cluster to an Encrypted Cluster

GaussDB(DWS) allows you to convert an unencrypted cluster to an encrypted cluster when the cluster status is Available on the console. To ensure data security, converting a cluster to an encrypted cluster is an irreversible high-risk operation and will restart the cluster. As a result, services may be unavailable for a short period of time. Exercise caution when performing this operation.

By default, clusters (versions 8.1.3.325 and later, and 8.2.1.105 and later) created on the console support encryption. For old clusters later than 8.0.x, contact technical support to upgrade them.

Procedure

Log in to the GaussDB(DWS) management console. In the navigation pane, choose Clusters > Dedicated Clusters.
In the cluster list, locate the row that contains the target cluster and choose More > Convert to Encrypted Cluster in the Operation column.

If Convert to Encrypted Cluster is not displayed, the cluster (earlier version) cannot be converted to an encrypted cluster or the cluster is already an encrypted cluster.

In the dialog box that is displayed, select the key source and encryption algorithm to convert the cluster into an encrypted cluster.

Method 1: Select a key name.
Method 2: Enter the key ID. Enter the key ID used for authorizing the current tenant..
When you grant permissions on the Creating a Grant page, the authorized object must be an account instead of a user. The authorized operations must at least contain Querying key details, Encrypting data, and Decrypting data.

**Table 1** Parameter description
Parameter	Description
Key Source	You can select a key name from the key list or directly enter a key name.
Cryptographic Algorithm	The encryption algorithms are as follows: AES256 (general encryption algorithm, SM algorithms not supported) SM4 (compatible with international algorithms)

The database encryption function cannot be disabled once it is enabled.
After Encrypt DataStore is enabled, the key cannot be disabled, deleted, or frozen when being used. Otherwise, the cluster becomes abnormal and the database becomes unavailable.
Snapshots created after the database encryption function is enabled cannot be restored using open APIs.
By default, only Huawei Cloud accounts or users with Security Administrator permissions can query and create agencies. IAM users under an account do not have the permission to query or create agencies by default. Contact a user with that permission and complete the authorization on the current page.

After the conversion, you can click the cluster name to go to the Cluster Details page to view the cluster details. For details, see Viewing Database Encryption Information.