Setting Up TDE in MySQL RDS

Transparent Data Encryption (TDE) is a technology used to encrypt databases by offering encryption at a file level. If you have critical and sensitive data, TDE can help protect the privacy of your information and prevent data breaches by enabling data-at-rest encryption in the database. TDE helps you meet various regulatory requirements including PCI DSS and HIPAA.

Source: https://www.mysql.com/products/enterprise/tde.html

According to MySQL, "TDE enables data-at-rest encryption by encrypting the physical files of the database. Data has encrypted automatically, in real time, prior to writing to storage and decrypted when read from storage. As a result, hackers and malicious users are unable to read sensitive data from tablespace files, database backups or disks. RDS TDE uses industry standard AES algorithms."

TDE Basics

Transparent Data Encryption (TDE) can be used to perform real-time I/O encryption and decryption on instance data files. To increase data security, you can enable TDE to encrypt instance data. Data is encrypted before it is written to disk and decrypted when it is read from disk. TDE does not:

1. Increase the size of the data file.
2. Require developers to make any code changes to use TDE.

Alibaba Cloud ApsaraDB for RDS fully supports TDE for MySQL. In this article, we will look at setting up TDE for MySQL on Alibaba Cloud.

Note: TDE is currently only applicable to SQL Server 2008 R2 and MySQL 5.6. To view or modify TDE settings, you need to log in with an Alibaba Cloud account rather than a RAM account.

Prerequisites

1. Key Management System (KMS) is enabled.
2. The RDS is based on either MySQL 5.6 or MS SQL 2008.RDS specifications are high enough to support the overhead of encryption.

Setting Up TDE on ApsaraDB for RDS

To enable TDE on Alibaba Cloud:

1. Go to the RDS Management Console, select the appropriate RDS instance.
2. Under Security Control, TDE tab, you will be able to find the option to enable TDE.

How Does TDE Work?

TDE works as shown below.

This feature will allow the encryption of data while at rest. The encryption of data while in transit is still the responsibility of the user and is outside the purview of this document.

Encrypting Tables

Log in to the database and execute the following command to encrypt the table to be encrypted.

alter table  engine＝innodb block_format=encrypted;

Decrypting Tables

If you want to decrypt the TDE encrypted table, execute the following command.

alter table  engine＝innodb block_format=default;

Conclusion

To summarize, database encryption provides an important layer of security to your sensitive data. There are different ways to encrypt the data that are all very practical. But remember that even the best crypto library will not secure your data unless you are using a secure key management infrastructure.

Currently, only SQL Server 2008 R2 and MySQL 5.6 databases support TDE, and once TDE is activated, it cannot be deactivated.

Encryption uses keys produced and managed by the Key Management Service (KMS). RDS does not provide the keys and certificates needed for encryption. After activating TDE, if the user wants to restore the data to the local device, he must use RDS to decrypt the data first.

Further Reading

1. ApsaraDB for RDS for MySQL page
2. TDE Setup Documentation