Release Notes and Announcements

Release Notes

Product Announcements

User Tutorial

Product Introduction

Overview

Strengths

Use Cases

Database Architecture

Resource Isolation Policy

Economical Instance

Feature List

Database Instance

High Availability (Multi-AZ)

Regions and AZs

Service Regions and Service Providers

Kernel Features

Overview

Kernel Version Release Notes

Functionality Features

Performance Features

Security Features

Stability Features

TXRocks Engine

LibraDB Engine

Checking and Fixing Kernel Issues

Purchase Guide

Billing Overview

Selection Guide

Purchase Methods

Renewal

Payment Overdue

Refund

Pay-as-You-Go to Monthly Subscription

Instance Adjustment Fee

Backup Space Billing

Database Audit Billing Overview

Commercial Billing and Activity Description for Database Proxy

Description of the Database Proxy Billing Cycle

Viewing Bills

Getting Started

Overview

Creating MySQL Instance

Connecting to MySQL Instance

SQL Insight (Database Audit)

Overview

Viewing Audit Instance List

Enabling Audit Service

Viewing Audit Log

Log Shipping

Configuring Post-Event Alarms

Modifying Audit Rule

Modifying Audit Services

Disabling Audit Service

Audit Rule Template

SQL Audit Rule (Legacy)

Viewing Audit Task

Authorizing Sub-User to Use Database Audit

MySQL Cluster Edition

Introduction to TencentDB for MySQL Cluster Edition

Creating TencentDB for MySQL Cluster Edition Instance

Maintenance Management Instance

Viewing Instance Monitoring

Adjusting Instance Configuration

Operations for Other Features

Migrate or upgrade to TencentDB for MySQL Cluster Edition

Operation Guide

Use Limits

Operation Overview

Instance Management and Maintenance

Instance Upgrade

CPU Elastic Expansion

Read-Only/Disaster Recovery Instances

Database Proxy

Database Management Center (DMC)

Account Management

Parameter Configuration

Backup and Rollback

Data Migration

Network and Security

Monitoring and Alarms

Log Center

Read-Only Analysis Engine

Tag

Practical Tutorial

Using TencentDB for MySQL to Upgrade MySQL 5.7 to MySQL 8.0

Methods and Instructions for Upgrading from MySQL 5.6 to MySQL 5.7

Cybersecurity Classified Protection Practice for Database Audit of TencentDB for MySQL

Building All-Scenario High-Availability Architecture

Usage Specifications of TencentDB for MySQL

Configuring Automatic Application Reconnection

Impact of Modifying MySQL Source Instance Parameters

Limits on Automatic Conversion from MyISAM to InnoDB

Creating VPCs for TencentDB for MySQL

Enhancing Business Load Capacity with TencentDB for MySQL

Setting up 2-Region-3-DC Disaster Recovery Architecture

Improving TencentDB for MySQL Performance with Read/Write Separation

Migrating Data from InnoDB to RocksDB with DTS

Building LAMP Stack for Web Application

Building Drupal Website

Calling MySQL APIs in Python

The primary and secondary instances have inconsistent query data

White Paper

Performance White Paper

Security White Paper

Troubleshooting

Connections

Performance

Instance Data Sync Delay

Failure to Enable Case Insensitivity

Failure to Obtain slow_query_log_file via a Command

API Documentation

History

Introduction

API Category

Instance APIs

Making API Requests

Data Import APIs

Database Proxy APIs

Database Audit APIs

Security APIs

Task APIs

Backup APIs

Account APIs

Rollback APIs

Parameter APIs

Database APIs

Monitoring APIs

Log-related API

Data Types

Error Codes

FAQs

Related to Selection

Billing

Backup

Rollback

Connection and Login

Parameter Modifications

Instance Upgrade

Account Permissions

Performance and Memory

Ops

Data Migration

Features

Console Operations

Logs

Event

Database audit

Instance Switch Impact

API 2.0 to 3.0 Switch Guide

Service Agreement

Service Level Agreement

Reference

Standards and Certifications

Glossary

Enabling Transparent Data Encryption

PDF

Focus Mode

Font Size

Last updated: 2026-01-12 17:16:52

Overview
TencentDB for MySQL comes with the transparent data encryption (TDE) feature. Transparent encryption means that the data encryption and decryption are transparent to users. TDE supports real-time I/O encryption and decryption of data files. It encrypts data before it is written to disk, and decrypts data when it is read into memory from disk, which meets the compliance requirements of static data encryption.
Key Management Instructions
TencentDB for MySQL does not provide the keys and certificates required for encryption. The keys used for transparent data encryption are generated and managed by the KMS. The relevant explanations regarding the keys are as follows.
The TDE feature incurs no additional charges; however, the Key Management System will generate extra costs. Please refer to the Billing Overview for more details.
The Key Management System (Postpaid Version) will cease operations on December 30, 2024. From this date forward, the Key Management System will no longer support the pay-as-you-go billing model, exclusively supporting a prepaid billing approach.
For existing users of the Key Management System (Postpaid Version), an account in arrears will be unable to get keys from KMS, potentially hindering tasks such as migration and upgrades from proceeding as planned.
For users who have newly purchased the Key Management System (Prepaid Edition), when their account is in arrears, the Key Management System, having been prepaid for a certain period, will not affect the retrieval of KMS keys, nor will it impact tasks such as migration and upgrading during this period. Please be mindful of the renewal time for your KMS keys. Failure to renew them upon expiration will also affect the use of Transparent Data Encryption features. To manage your KMS keys, please visit the Key Management System Console.
TencentDB for MySQL instances and Key Management Service (KMS) support different regions. When a key is created, if there is no corresponding region in China in KMS, you can choose to create it in the Guangzhou region; if there is no corresponding region outside China, you can choose to create it in the Hong Kong (China) region.
After TDE is enabled, if an account (UIN) has not previously created any encrypted tables, the corresponding key information may not be displayed in the key list. Conversely, if an account (UIN) has created encrypted tables, the corresponding key information will be visible. For instructions on creating encrypted tables, please refer to the Frequently Asked Questions.
Prerequisites
The instance architecture must be either General or Dedicated two-node/three-node.
The database versions of the instances must be MySQL 5.7 or MySQL 8.0.
You have activated Key Management Service (KMS). If not, you can enable it as instructed during the TDE activation process.
You have granted KMS key permissions. If not, you can grant permissions as instructed during the TDE activation process.
Your account needs the QcloudAccessForMySQLRole permission. To do so, you can follow the instructions provided during the TDE activation process.
Use Limits
Once the authorization is revoked, MySQL databases will be inaccessible upon restart.
TDE can’t be disabled once enabled.
Once TDE is enabled, you need to decrypt data before you can restore it to a local database.
TDE enhances the security of static data while compromising the read-write performance of encrypted databases. Therefore, use it based on your actual needs.
If the source instance is associated with a read-only or disaster recovery instance, you only need to enable TDE for the source instance, which will then be automatically enabled for its associated instances.
When utilizing the TDE feature, please ensure that the KMS key is in a normal operational state. Failure to do so may result in an inability to get keys from KMS, potentially hindering tasks such as migration and upgrades from proceeding as expected.
After TDE is enabled, more CPU resources will be consumed, and about 5% of the performance will be compromised.
After TDE is enabled, authenticated applications and users can access the data transparently.
After TDE is enabled, the efficiency of backup compression may decrease.
After the transparent data encryption (TDE) feature is enabled, MySQL 8.0 instances are automatically encrypted, which means that tables created after the feature is enabled are encrypted by default.
Directions
Enabling TDE
1. Log in to the TencentDB for MySQL console. In the instance list, click an instance ID or Manage in the Operation column to enter the instance management page.
2. On the Data Security tab, toggle on Encryption Status.
﻿
Note: 
An instance with TDE enabled cannot be restored from a physical backup to a self-created database on another server.
TDE can't be disabled once enabled.
3. In the pop-up dialog box, activate the KMS, grant the KMS key permissions, select a key, and click Encrypt.
If you select Use key auto-generated by Tencent Cloud, the key will be auto-generated by Tencent Cloud.
﻿
If you select Use existing custom key, you can select a key created by yourself.
Note: 
If there are no custom keys, click go to create to create keys in the KMS console. For more information, see Creating a Key.
﻿
Encrypting a table
Once you enable TDE, you can encrypt a table of a MySQL instance by running the example DDL statements on the table.
To encrypt a table upon creation, run the following statement:
CREATE TABLE t1 (c1 INT) ENCRYPTION='Y';
To encrypt an existing table, run the following statement:
ALTER TABLE t1 ENCRYPTION='Y';
Decrypting a table
Once you enable TDE, you can decrypt a table of a MySQL instance by running the example DDL statement on the table.
To decrypt an encrypted table, run the following statement:
ALTER TABLE t1 ENCRYPTION='N';
Frequently Asked Questions
Why does the key list lack key information after enabling TDE?
Issue Phenomenon
﻿
Normal Key List After Enabling TDE Encryption
﻿
Recommended Actions
1. Firstly, verify the encryption status of KMS to ensure it is functioning correctly. Check whether the account is in arrears, and ascertain if there are any overdue payments for the Cloud Database MySQL instance and the Key Management System. Please ensure all the aforementioned conditions are met before attempting again.
2. Should this be your inaugural endeavor with TDE encryption, and no encrypted tables have previously been established under your account (UIN), the key list will be devoid of key information. Please refer to the commands below to create an encrypted table within your data instance and attempt again.
  CREATE TABLE `user_test` (
  `id` bigint(20) NOT NULL AUTO_INCREMENT,
  `userId` int(11) NOT NULL,
  `age` int(11) NOT NULL,
  `name` varchar(64) DEFAULT NULL,
  `ins_date` varchar(10) DEFAULT NULL,
  PRIMARY KEY (`id`),
  KEY `idx_ins_date` (`ins_date`),
  KEY `idx_userId` (`userId`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8 ENCRYPTION='Y';
Why is the key unusable after enabling TDE?
Please verify that your KMS encryption status is functioning normally, and ensure that your account is not in arrears. Additionally, confirm that both your TencentDB for MySQL instance and Key Management System are not in a state of expiration without payment. Given that the Key Management System (postpaid version) can no longer be created, and new purchases of the Key Management System are limited to the prepaid version only, users who are currently utilizing the Key Management System (postpaid version) will find that their keys become unusable in the event of an abnormal KMS encryption status or account delinquency. Therefore, it is advised to recharge your account and attempt again.