Relational Database ServiceRelational Database Service

Elastic Cloud Server
Bare Metal Server
Auto Scaling
Image Management Service
Dedicated Host
Virtual Private Cloud
Elastic IP
Elastic Load Balance
NAT Gateway
Direct Connect
Virtual Private Network
Domain Name Service
VPC Endpoint
Cloud Connect
Enterprise Switch
Security & Compliance
Web Application Firewall
Host Security Service
Data Encryption Workshop
Database Security Service
Advanced Anti-DDoS
Data Security Center
Container Guard Service
Situation Awareness
Managed Threat Detection
Cloud Certificate Manager
Anti-DDoS Service
Relational Database Service
Document Database Service
Data Admin Service
Data Replication Service
GaussDB(for MySQL)
Distributed Database Middleware
GaussDB(for openGauss)
Developer Services
Distributed Cache Service
Simple Message Notification
Application Performance Management
Application Operations Management
API Gateway
Cloud Performance Test Service
Distributed Message Service for Kafka
Distributed Message Service for RabbitMQ
Distributed Message Service for RocketMQ
Cloud Service Engine
Cloud Communications
Message & SMS
Cloud Ecosystem
Partner Center
User Support
My Account
Billing Center
Cost Center
Resource Center
Enterprise Management
Service Tickets
HUAWEI CLOUD (International) FAQs
ICP License Service
Support Plans
Customer Operation Capabilities
Partner Support Plans
Professional Services
Intelligent EdgeFabric
SDK Developer Guide
API Request Signing Guide
Koo Command Line Interface
Updated at: Apr 02, 2022 GMT+08:00

Performing a Server-Side Encryption


The RDS console provides server-side encryption with Data Encryption Workshop (DEW)-managed keys.

DEW uses a third-party hardware security module (HSM) to protect keys, enabling you to easily create and control encryption keys. For security reasons, keys are not displayed in plaintext outside of HSMs. With DEW, all operations on keys are controlled and logged, and usage records of all keys can be provided to meet regulatory compliance requirements.

If server-side encryption is enabled, disk data will be encrypted and stored on the server when you create a DB instance or expand disk capacity. When downloading encrypted objects, the encrypted data will be decrypted on the server and displayed to you in plaintext.

Encrypting Disks Using Server-Side Encryption

For server-side encryption, you need to first create a key using Data Encryption Workshop (DEW) or use the default key that DEW comes with. When creating a DB instance, select Enable for disk encryption and select or create a key. This key is the end tenant key and will be used for server-side encryption. For details, see Buying a DB Instance.

  • You will need the KMS administrator permission for the region where RDS is being deployed. This permission can be granted using Identity and Access Management (IAM). On the IAM console, add permission policies to user groups. For details, see Creating a User Group and Assigning Permissions.
  • If you want to use a user-defined key to encrypt objects to be uploaded, create a key using DEW. For details, see Creating a CMK.
  • Once a DB instance is created, you cannot modify the disk encryption status or change the key. The backup data stored in OBS, however, is not encrypted.
  • After an RDS DB instance is created, you cannot disable or delete the key for that instance, or the DB instance will become unusable and the data cannot be restored.
  • If you scale up a DB instance with disks encrypted, the expanded storage space will also be encrypted using the original encryption key.

Did you find this page helpful?

Failed to submit the feedback. Please try again later.

Which of the following issues have you encountered?

Please complete at least one feedback item.

Content most length 200 character

Content is empty.

OK Cancel