Updated on 2023-01-11 GMT+08:00

Encrypting an RDS DB Instance


Relational Database Service (RDS) supports MySQL and PostgreSQL engines.

After encryption is enabled, disk data will be encrypted and stored on the server when you create a DB instance or expand disk capacity. When you download encrypted objects, the encrypted data will be decrypted on the server and displayed in plaintext.


  • The KMS Administrator right must be granted to the user in the region of RDS by using Identity and Access Management (IAM). For details about how to assign permissions to user groups, see "How Do I Manage User Groups and Grant Permissions to Them?" in Identity and Access Management User Guide.
  • To use a user-defined key to encrypt objects to be uploaded, create a key using DEW. For details, see Creating a CMK.
  • Once the disk encryption function is enabled, you cannot disable it or change the key after a DB instance is created. The backup data stored in OBS will not be encrypted.
  • After an RDS DB instance is created, do not disable or delete the key that is being used. Otherwise, RDS will be unavailable and data cannot be restored.
  • If you scale up a DB instance with disks encrypted, the expanded storage space will be encrypted using the original encryption key.

Using KMS to Encrypt a DB Instance (on the Console)

When a user purchases a database instance from Relational Database Service (RDS), the user can select Disk encryption and use the key provided by KMS to encrypt the disk of the database instance. For more information, see Buy a MySQL DB Instance and Buy a PostgreSQL DB Instance.

Figure 1 Encrypting data in RDS

Using KMS to Encrypt a DB Instance (Through an API)

You can also call the required API of RDS to purchase encrypted DB instances. For details, see Relational Database Service API Reference.