Updated on 2025-07-11 GMT+08:00

Enabling TDE

Transparent Data Encryption (TDE) performs real-time I/O encryption and decryption on data files. Data is encrypted before being written to disks and is decrypted when being read from disks to memory. This effectively protects the security of databases and data files.

Constraints on Usage

  • To configure TDE, you must have the iam:agencies:createServiceLinkedAgencyV5 permission.
  • You need to enable Key Management Service (KMS) for your TaurusDB instance first. The data keys used for encryption are generated and managed by KMS. TaurusDB does not provide any keys or certificates required for encryption.
  • To enable TDE, the kernel version of your TaurusDB instance must be 2.0.47.231100 or later.
  • TDE can be enabled only when a DB instance is created. After the instance is created, TDE cannot be enabled or disabled.
  • TDE encrypts instance data, including full backups but excluding incremental backups.
  • After TDE is enabled, the cryptographic algorithm cannot be changed later.
  • Only instance-level encryption is supported.
  • After TDE is enabled for a DB instance, you cannot:
    • Restore the data of the DB instance to an existing DB instance.

Procedure

  1. Go to the Buy DB Instance page.
  2. On the displayed page, set TDE to Enabled and select the corresponding cryptographic algorithm.

  3. After the DB instance is created, click the DB instance name to go to the Basic Information page and view the TDE field.