Enabling TDE

Supported Regions

CN South-Guangzhou

Constraints on Usage

• To enable TDE, submit a service ticket by choosing Service Tickets > Create Service Ticket in the upper right corner of the management console.
• To configure TDE, you must have the iam:agencies:createServiceLinkedAgencyV5 permission. If you do not have this permission, create a custom policy.
• You need to enable Key Management Service (KMS) for your DB instance first. The data keys used for encryption are generated and managed by KMS. GaussDB(for MySQL) does not provide any keys or certificates required for encryption.
• To enable TDE, the kernel version of GaussDB(for MySQL) instances must be 2.0.47.231100 or later.
• Your DB instance must be billed at a pay-per-use or yearly/monthly basis.
• The instance type must be single-node or primary/standby deployment.
• TDE can be enabled only when a DB instance is created. After the instance is created, TDE cannot be enabled or disabled.
• TDE encrypts instance data, including full backups but excluding incremental backups.
• After TDE is enabled, the cryptographic algorithm cannot be changed later.
• Only instance-level encryption is supported.
• After TDE is enabled for a DB instance, you cannot:
  • Enable cross-region backup for the DB instance.
  • Restore the data of the DB instance to an existing DB instance.

Procedure

1. Go to the Buy DB Instance page.
2. On the displayed page, set TDE to Enabled and select the corresponding cryptographic algorithm.
   Figure 1 Enabling TDE
   

3. After the DB instance is created, click the DB instance name to go to the Basic Information page and view the TDE field.