Help Center > > User Guide> Working with RDS for PostgreSQL> Data Security> Performing a Server-Side Encryption

Performing a Server-Side Encryption

Updated at: May 26, 2020 GMT+08:00


The RDS console supports server-side encryption with Data Encryption Workshop (DEW)-managed keys.

DEW uses a third-party hardware security module (HSM) to protect keys, enabling you to create and control encryption keys easily. Keys are not displayed in plaintext outside HSMs, which prevents key disclosure. With DEW, all operations on keys are controlled and logged, and usage records of all keys can be provided to meet regulatory compliance requirements.

After server-side encryption is enabled, disk data will be encrypted and stored on the server when you create a DB instance or expand disk capacity. When downloading the encrypted objects, the encrypted data will be decrypted on the server and displayed in plaintext to you.

Encrypting Disks Using Server-Side Encryption

To perform a server-side encryption, you need to first create a key using Data Encryption Workshop (DEW) or use the default key provided by DEW. When creating a DB instance, select Encryption for Disk Encryption and select or create a key. The key is the end tenant key and is used for server-side encryption to ensure disk security. When you are creating a DB instance, enable the disk encryption and create a key. The key is the tenant key. For details, see the descriptions of buying DB instances in the Relational Database Service Getting Started.

  • The KMS administrator permission has been added in the region of RDS using Identity and Access Management (IAM). For details about how to add permissions, see "Creating a User Group and Assigning Permissions" in the Identity and Access Management User Guide.
  • If you want to use a user-defined key to encrypt objects to be uploaded, create a key using DEW. For details about how to create a key, see the "Creating a CMK" section in the Data Encryption Workshop User Guide.
  • Once the disk encryption function is enabled, you cannot disable it or change the key after a DB instance is created. The backup data stored in OBS will not be encrypted.
  • After an RDS DB instance is created, do not disable or delete the key that is being used. Otherwise, the DB instance will be unavailable and data cannot be restored.
  • If you scale up a DB instance with disks encrypted, the expanded storage space will be encrypted using the original encryption key.

Did you find this page helpful?

Submit successfully!

Thank you for your feedback. Your feedback helps make our documentation better.

Failed to submit the feedback. Please try again later.

Which of the following issues have you encountered?

Please complete at least one feedback item.

Content most length 200 character

Content is empty.

OK Cancel