Updated on 2025-08-20 GMT+08:00

Configuring the TDE Function

Scenarios

Transparent Data Encryption (TDE) performs real-time I/O encryption and decryption on data files. Data is encrypted before being written to disks and is decrypted when being read from disks to memory. This effectively protects the security of databases and data files.

TDE ensures data security in the following scenarios:

  • Hard disks are stolen, causing data leakage.
  • Hackers intrude the system and copy the files, causing data leakage. If TDE is not enabled for a database, hackers can browse all data in it as long as they obtain the database file. If TDE is enabled, all data in the database is encrypted. No one can access the data without a key.

Supported Versions

RDS for MySQL supports TDE in the following versions:
  • 8.0: 8.0.32.250300 and later
  • 5.7: 5.7.38.221000 and later

For details about how to query the instance version, see Query the RDS Instance Version.

Impacts on Performance

When there are data reads and writes in an encrypted table, the encryption and decryption algorithms introduce additional computational overhead. This causes the CPU load to increase.

In most cases, if the CPU usage of an instance does not reach the bottleneck, the read and write performance of encrypted tables will decrease by no more than 5%.

In high concurrency and high CPU load scenarios, I/O-intensive workloads involving encrypted tables will cause instances with fewer than 8 vCPUs to struggle more with performance degradation. The extent of deterioration depends on the business model and encryption algorithm used.

Constraints

Table 1 Constraints

Stage

Constraints

Before TDE is enabled

  • To enable TDE, submit a service ticket by choosing Service Tickets > Create Service Ticket in the upper right corner of the management console.
  • You need to enable Key Management Service (KMS) for your RDS for MySQL instance first. The Customer Master Key (CMK) used for encryption is generated and managed by KMS. RDS does not provide any keys or certificates required for encryption.
  • TDE cannot be enabled for the following instances:
    • Instances with cross-region backup enabled
    • Instances with CBR snapshot-based backup enabled
  • TDE is supported for cloud SSDs.
  • TDE encrypts instance data, including full backups but excluding incremental backups.
  • Once enabled, TDE cannot be disabled. Exercise caution when deciding to enable TDE.

When TDE is being enabled

  • Enabling TDE will not cause your instance to reboot, but will increase CPU usage significantly. You are advised to enable TDE during off-peak hours.

After TDE is enabled

  • The following limitations apply to the instance after TDE is enabled:
    • You cannot configure remote disaster recovery for it.
    • You cannot disable this function or change the default CMK.
    • You cannot restore data to another existing DB instance from a TDE-encrypted backup.
    • Data cannot be restored to another existing DB instance during point-in-time recovery (PITR).
    • Manual backups created using custom keys cannot be used for restoration. They can only be downloaded.
    • Manual or automated backups created using default keys cannot be downloaded.
    • You cannot perform a major version upgrade.
  • Tables can be encrypted or decrypted only after TDE is enabled. Pay attention to the following after enabling this function:
    • Ensure that common database tools can still be used.
    • When table data is queried, the data is decrypted and read to the memory, so the query result is displayed in plaintext. After TDE is enabled, backups are encrypted, preventing data leakage caused by backup leakage.

Enabling Instance-Level TDE

  1. Click in the upper left corner and select a region.
  2. Click in the upper left corner of the page and choose Databases > Relational Database Service.
  3. On the Instances page, click the target instance name to go to the Overview page.
  4. Under TDE, click Enable.

    Figure 1 Enabling instance-level TDE

  5. In the displayed dialog box, click OK.

    Figure 2 Enabling TDE

  6. After TDE is enabled, to restore data to an on-premises database, use either of the following methods.

    • Method 1: Decrypt data.
      1. Decrypt data by referring to Decryption.
      2. Create a manual backup for the instance to be restored.
      3. Restore data from the manual backup.
    • Method 2: Use the transition key --transition-key.
      1. When creating a manual backup on the console, enter a custom key string as prompted to re-encrypt the data. For details, see Creating a Manual Backup.
        Figure 3 Custom encryption
      2. Download a full backup and use the third-party full backup tool Percona XtraBackup to restore the backup locally.
        1. prepare phase: --transition-key = {custom_key}
        2. copy-back phase: --transition-key={custom_key} --generate-new-master-key

Encrypting or Decrypting a Table

  1. Connect to the target DB instance.
  2. Run the following commands to encrypt or decrypt a table. In the commands, tablename indicates the name of the table to be encrypted or decrypted.

    • Encryption
      alter table tablename encryption='Y';
    • Decryption
      alter table tablename encryption='N';

    Both alter table tablename encryption='Y'; and alter table tablename encryption='N'; are DDL statements that use ALGORITHM=COPY. Such statements are executed by creating a table, copying all data to the table, and then renaming the table. This results in the following symptoms:

    • After a DDL statement is executed, there will be brief fluctuations in the performance of queries on that table.
    • If the buffer pool is not fully used, the memory load increases.