Updated on 2023-04-03 GMT+08:00

Performing a Server-Side Encryption


The RDS console provides server-side encryption with Data Encryption Workshop (DEW)-managed keys.

DEW uses a third-party hardware security module (HSM) to protect keys, enabling you to easily create and control encryption keys. For security reasons, keys are not displayed in plaintext outside of HSMs. With DEW, all operations on keys are controlled and logged, and usage records of all keys can be provided to meet regulatory compliance requirements.

If server-side encryption is enabled, disk data will be encrypted and stored on the server when you create a DB instance or expand disk capacity. When downloading encrypted objects, the encrypted data will be decrypted on the server and displayed to you in plaintext.

Encrypting Disks Using Server-Side Encryption

For server-side encryption, you need to first create a key using DEW or use the default key that DEW comes with. When creating a DB instance, select Enable for disk encryption and select or create a key. This key is the end tenant key and will be used for server-side encryption. For details, see Buying a DB Instance.

  • You will need the KMS administrator permission for the region where RDS is deployed. This permission can be granted using Identity and Access Management (IAM). On the IAM console, add permission policies to user groups. For details, see Creating a User Group and Assigning Permissions.
  • If you want to use a user-defined key to encrypt objects to be uploaded, create a key using DEW. RDS supports only symmetric keys. For details, see Creating a CMK.
  • If you enable disk encryption during instance creation, the disk encryption status and the key cannot be changed later. Disk encryption will not encrypt backup data stored in OBS. To enable backup data encryption, contact customer service.
  • If disk encryption or backup data encryption is enabled, keep the key properly. Once the key is disabled, deleted, or frozen, the database will be unavailable and data may not be restored.
    • If disk encryption is enabled but backup data encryption is not enabled, you can restore data to a new instance from backups.
    • If both disk encryption and backup data encryption are enabled, data cannot be restored.
  • If you scale up a DB instance with disks encrypted, the expanded storage space will also be encrypted using the original encryption key.