Help Center/ TaurusDB/ User Guide/ Security and Encryption/ Enabling TDE for a DB Instance
Updated on 2026-03-19 GMT+08:00
View PDF
Share

Enabling TDE for a DB Instance

Scenarios

Transparent Data Encryption (TDE) performs real-time I/O encryption and decryption on data files. Data is encrypted before being written to disks and is decrypted when being read from disks to memory. This effectively protects your databases and data files.

TDE ensures data security in the following scenarios:

  • Hard disks are stolen, causing data leakage.
  • Hackers intrude the system and copy the files, causing data leakage. If TDE is not enabled for a database, hackers can browse all data in it as long as they obtain the database file. If TDE is enabled, all data in the database is encrypted. No one can access the data without a key.

Billing

Keys used for encryption are generated and managed by Key Management Service (KMS). TaurusDB's data encryption is free, and there are no charges for using KMS.

Required Permissions

  • If you enable TDE using a Huawei Cloud account, no additional configuration is required. If you enable TDE as an IAM user for the first time, you need to obtain the permission to create an agency.
  • To enable TDE, you must have the following IAM permissions.
    Table 1 IAM permissions and agencies

    IAM Policy

    Permission

    Agency

    Role/Policy-based
    • iam:agencies:listAgencies
    • iam:agencies:createAgency
    • iam:permissions:listRolesForAgencyOnProject
    • iam:permissions:grantRoleToGroupOnProject
    • iam:permissions:grantRoleToAgencyOnProject
    • iam:roles:listRoles
    • iam:roles:createRole

    If you do not have these permissions, create a custom policy.

    The system will automatically create the RDSAccessProjectResource agency. This agency is visible to you. Deleting the agency will result in TDE failures.

    Identity policy-based
    • iam:agencies:listAgencies
    • iam:agencies:createServiceLinkedAgencyV5

    If you do not have these permissions, create a custom identity policy.

    The system will automatically create the ServiceLinkedAgencyForGaussDBforMySQL agency. This agency is visible to you but cannot be deleted.

Constraints

Table 2 Constraints

Phase

Constraint

Before TDE is enabled
  • To enable TDE, submit a service ticket.
  • Once TDE is enabled, it cannot be disabled later.
  • To enable TDE, the kernel version of your TaurusDB instance must be 2.0.47.231100 or later. For details about how to check the kernel version, see How Can I Check the Version of a TaurusDB Instance?
  • TDE can only be enabled for single-node and cluster DB instances.
  • You need to enable KMS for your DB instance first. The data keys used for encryption are generated and managed by KMS. TaurusDB does not provide any keys or certificates required for encryption.
  • TDE can only be enabled when a DB instance is created. After the instance is created, TDE cannot be enabled or disabled.
  • TDE encrypts instance data, including full backups but excluding incremental backups.
  • After TDE is enabled, the cryptographic algorithm cannot be changed later.
  • Only instance-level encryption is supported.

After TDE is enabled
After TDE is enabled for a DB instance, you cannot:
  • Enable cross-region backup for the DB instance.
  • Restore the data of the DB instance to an existing DB instance.

Procedure

  1. Go to the Buy DB Instance page.
  2. On the Instances page, click Buy DB Instance.
  3. On the displayed Custom Config page, set instance parameters, enable TDE, and select the cryptographic algorithm AES256 or SM4 as needed.

    Figure 1 Enabling TDE

  4. After the DB instance is created, click the instance name to go to the Basic Information page and check the TDE status in the Configuration area.

FAQs

How Do I Manually Create the RDSAccessProjectResource Agency?

An agency is used to grant permissions to cloud services, allowing them to execute automated O&M tasks, such as enabling TDE. Enabling TDE automatically creates the RDSAccessProjectResource agency. This agency is visible to you. Deleting the agency can cause TDE to fail.

You can manually add an agency as follows:

  1. Log in to the IAM console.
  2. In the navigation pane, choose Agencies. On the displayed page, search for RDSAccessProjectResource.

    If the agency cannot be found, click Create Agency in the upper right corner.

  3. On the displayed page, set agency parameters.

    Figure 2 Creating an agency

    • Agency Name: Enter RDSAccessProjectResource.
    • Agency Type: Select Cloud service.
    • Cloud Service: Search for op_svc_rds and select Database Service (DBS).
    • Validity Period: Select Unlimited.

  4. Click OK.

    If you do not need to authorize the agency, click Cancel to return to the agency list and view the created agency. In this case, the created agency does not have any permissions.

  5. In the displayed dialog box, click Authorize.
  6. Search for DBS AgencyPolicy, select it, and click Next.

  7. Select Region-specific projects and the target region, and click OK.

    Figure 3 Authorizing an agency

Parent Topic: Security and Encryption