Help Center/ Relational Database Service/ User Guide (Ally Region)/ Working with RDS for PostgreSQL/ Account and Network Security/ Performing a Server-Side Encryption
Updated on 2026-04-24 GMT+08:00
View PDF
Share

Performing a Server-Side Encryption

Introduction

The RDS console provides server-side encryption with DEW-managed keys. (DEW is short for Data Encryption Workshop.)

DEW uses a hardware security module (HSM) to protect keys, enabling you to easily create and control encryption keys. For security reasons, keys are not displayed in plaintext outside of HSMs. With DEW, all operations on keys are controlled and logged, and usage records of all keys can be provided to meet regulatory compliance requirements.

If server-side encryption is enabled, disk data will be encrypted and stored on the server when you create a DB instance or expand disk capacity. When downloading encrypted objects, the encrypted data will be decrypted on the server and displayed to you in plaintext.

Encrypting Disks Using Server-Side Encryption

For server-side encryption, you need to first create a key using DEW or use the default key that DEW comes with. When creating a DB instance, enable disk encryption and select an existing key or create a new one as the tenant key. The key is used for server-side encryption.

  • You will need the KMS administrator permission for the region where RDS is deployed. This permission can be granted using Identity and Access Management (IAM). To grant the permissions, see Creating a User and Granting Permissions.
  • If you want to use a user-defined key to encrypt the objects to be uploaded, create a key using DEW. Currently, RDS supports only symmetric keys.
  • If you enable disk encryption during instance creation, the disk encryption status and the key cannot be changed later. Disk encryption will not encrypt backup data stored in OBS buckets.
  • If disk encryption or backup data encryption is enabled, keep the key secure. Once the key is disabled, deleted, or frozen, the DB instance will be inaccessible and data may not be restored.
    • If disk encryption is enabled but backup data encryption is not enabled, you can restore data to a new instance from backups.
    • If both disk encryption and backup data encryption are enabled, data cannot be restored.
  • If you scale up the storage of a DB instance with disk encryption enabled, the new storage will still use the original key for encryption.