Skip to main content

Encrypted DBaaS

You can deploy encrypted DBaaS instances to protect sensitive data at rest. Encryption is implemented at the disk level using LUKS (Linux Unified Key Setup), providing strong, transparent protection for the underlying storage.

This ensures that all data, including database files, logs, and backups, is securely encrypted on both primary and replica nodes.

Key Concepts

  • Encryption Method: We use LUKS for full-disk encryption.
  • Activation: Encryption can only be enabled when creating a new database instance. It cannot be added to an existing database.
  • Passphrase: You can provide an optional passphrase for the encryption key. If you do not provide one, a secure, system-generated passphrase is used automatically.

Creating an Encrypted Instance

To create an encrypted DBaaS instance:

  1. Begin the process of provisioning a new database.
  2. Select your desired database engine, plan, and configuration details (e.g., instance name, database name, credentials).
  3. In the configuration options, select the Enable Encryption checkbox.
  4. Provide a custom passphrase to secure the encryption key (Optional) .

warning

Encryption can only be enabled at the time of database creation. You cannot encrypt an existing, unencrypted database, nor can you decrypt an encrypted one. This action is permanent for the life of the instance.