Help Center> Relational Database Service> User Guide> Working with RDS for SQL Server> Account and Network Security> Performing a Server-Side Encryption
Updated on 2023-04-03 GMT+08:00
View PDF

Performing a Server-Side Encryption

Introduction

The RDS console provides server-side encryption with Data Encryption Workshop (DEW)-managed keys.

DEW uses a third-party hardware security module (HSM) to protect keys, enabling you to easily create and control encryption keys. For security reasons, keys are not displayed in plaintext outside of HSMs. With DEW, all operations on keys are controlled and logged, and usage records of all keys can be provided to meet regulatory compliance requirements.

If server-side encryption is enabled, disk data will be encrypted and stored on the server when you create a DB instance or expand disk capacity. When downloading encrypted objects, the encrypted data will be decrypted on the server and displayed to you in plaintext.

Encrypting Disks Using Server-Side Encryption

For server-side encryption, you need to first create a key using DEW or use the default key that DEW comes with. When creating a DB instance, select Enable for Disk Encryption and select or create a key. This key is the end tenant key and will be used for server-side encryption. For details, see Getting Started with RDS for SQL Server.

  • You will need the KMS administrator permission for the region where RDS is deployed. This permission can be granted using Identity and Access Management (IAM). On the IAM console, add permission policies to user groups. For details, see Creating a User Group and Assigning Permissions.
  • If you want to use a user-defined key to encrypt objects to be uploaded, create a key using DEW. For details, see Creating a CMK.
  • If you enable disk encryption during instance creation, the disk encryption status and the key cannot be changed later. Disk encryption will not encrypt backup data stored in OBS.
  • If disk encryption is enabled, keep the key properly. Once the key is disabled, deleted, or frozen, the database will be unavailable.
  • After an RDS DB instance is created, you cannot disable or delete the key for that instance, or the DB instance will become unusable and the data cannot be restored.
  • If you scale up a DB instance with disks encrypted, the expanded storage space will also be encrypted using the original encryption key.