Configuring the TDE Function

Transparent Data Encryption (TDE) performs real-time I/O encryption and decryption on data files. Data is encrypted before being written to disks and is decrypted when being read from disks to memory. This effectively protects the security of databases and data files.

Constraints

You need to enable Key Management Service (KMS) for your RDS for MySQL instance first. The Customer Master Key (CMK) used for encryption is generated and managed by KMS. RDS does not provide any keys or certificates required for encryption.
TDE is only available to DB instances whose kernel version is MySQL 5.7 (5.7.38.221000 or later) and storage type is cloud SSD.
To enable TDE, submit a service ticket by choosing Service Tickets > Create Service Ticket in the upper right corner of the management console.
Once enabled, TDE cannot be disabled and the default CMK cannot be changed.
TDE encrypts instance data, including full backups but excluding incremental backups.
TDE cannot be enabled for instances:
- With remote disaster recovery backup enabled.
The following operations cannot be performed for DB instances with TDE enabled:
- Enabling remote disaster recovery backup.
- Restoring a TDE-encrypted backup to another existing DB instance.
- Restoring data to another existing DB instance during point-in-time recovery (PITR).
- Restoring manual backups created using custom keys.
- Downloading manual and automated backups created using default keys.
Enabling TDE will not cause your instance to reboot, but will increase CPU usage significantly. You are advised to enable TDE during off-peak hours.

Enabling Instance-Level TDE

Log in to the management console.
Click in the upper left corner and select a region and a project.
Click in the upper left corner of the page and choose Databases > Relational Database Service.
On the Instances page, click the target DB instance.
In the DB Information area, click in the TDE field to enable TDE.

Figure 1 Enabling instance-level TDE
In the displayed dialog box, click OK.

Once enabled, TDE cannot be disabled. Exercise caution when deciding to enable TDE.

Figure 2 Enabling TDE
After TDE is enabled, to restore data to an on-premises database, use either of the following methods.
- Method 1: Decrypt data.
  1. Decrypt data by referring to Decryption.
  2. Create a manual backup for the instance to be restored.
  3. Restore data from the manual backup.
- Method 2: Use the transition key --transition-key.
  1. When creating a manual backup on the console, enter a custom key string as prompted to re-encrypt the data. For details, see Creating a Manual Backup.
    Figure 3 Custom encryption
  2. Download a full backup and use the third-party full backup tool Percona XtraBackup to restore the backup locally.
    1. prepare phase: --transition-key = {custom_key}
    2. copy-back phase: --transition-key={custom_key} --generate-new-master-key

Encrypting or Decrypting a Table

Ensure that instance-level TDE has been enabled.
After TDE is enabled, common database tools can still be used.
When table data is queried, the data is decrypted and read to the memory, so the query result is displayed in plaintext. After TDE is enabled, backup files are encrypted, preventing data leakage caused by backup leakage.

Connect to the target DB instance.
For details, see Connecting to an RDS for MySQL DB Instance Through a Public Network, Connecting to an RDS for MySQL DB Instance Through a Private Network, and Connecting to an RDS for MySQL DB Instance Through DAS (Recommended).
Run the following commands to encrypt or decrypt a table. In the commands, tablename indicates the name of the table to be encrypted or decrypted.
- Encryption
```
alter table tablename encryption='Y';
```
- Decryption
```
alter table tablename encryption='N';
```