Enabling Transparent Data Encryption for a GaussDB Instance

Scenarios

You can enable transparent data encryption (TDE) for your instance on the instance details page.

Introduction Video

Precautions

• TDE can be enabled only when KMS is used.
• After enabling TDE, you need to manually reboot the instance to apply the change.
• Cross-cloud DR is not supported.
• After TDE is enabled, the encryption key cannot be changed.
• If TDE is enabled for instances whose DB engine version is V2.0-8.200.0 or later, database- and table-level backup and restoration are supported.
• Encrypted tables cannot be migrated using DRS.
• TDE can be used only in instances whose kernel version is V2.0-3.300 or later.
• Do not disable or delete the KMS key specified here, or encrypted tables will be inaccessible.

Enabling Transparent Data Encryption

1. Log in to the management console.
2. On the Instances page, click the name of the target instance to go to the Basic Information page.
3. In the Configuration area, click Enable in the Transparent Data Encryption field.
4. In the displayed dialog box, select a key from the Key Name drop-down list and enter YES.
   • If no key is available, click View Key Name List next to the Key Name field to go to the Key Management Service page and create a key. For details about how to create a key, see Creating a Custom Key.
   • If the selected key has been authorized for the current user, click OK to enable TDE.
   • If the selected key is not authorized for the current user, click Authorize next to the Key Name field to authorize key access. Then, click OK to enable TDE.
     Figure 1 Enabling transparent data encryption
     

5. After a message indicating that TDE is enabled is displayed, reboot the instance for the modification to take effect.