/ DOCS
nav-img
Advanced

Converting an Ordinary Cluster to an Encrypted Cluster

GaussDB(DWS) allows you to convert an unencrypted cluster to an encrypted cluster when the cluster status is Available on the console. To ensure data security, converting a cluster to an encrypted cluster is an irreversible high-risk operation and will restart the cluster. As a result, services may be unavailable for a short period of time. Exercise caution when performing this operation.

Note

If the current console does not support this function, contact technical support.

Notes and Constraints

  • Only storage-compute decoupled clusters of version 9.1.0 and later support database encryption.
  • If the cluster has a DR relationship, the cluster cannot be encrypted even if the cluster is in the available state. You need to cancel the DR relationship, encrypt the cluster, and then re-establish the DR relationship.
  • The database encryption function cannot be disabled once it is enabled.
  • After Encrypt DataStore is enabled, the key cannot be disabled, deleted, or frozen when being used. Otherwise, the cluster becomes abnormal and the database becomes unavailable.
  • Snapshots created after the database encryption function is enabled cannot be restored using open APIs.
  • By default, only cloud accounts or users with Security Administrator permissions can query and create agencies. IAM users under an account do not have the permission to query or create agencies by default. Contact a user with that permission and complete the authorization on the current page.

Creating a KMS Agency

Scenario

Before converting a cluster to an encrypted cluster, you need to create an agency that grants the KMS Administrator permissions to GaussDB(DWS).

Procedure

  1. Click your account in the upper right corner of the page and choose Identity and Access Management.
  2. In the navigation pane on the left, choose Agency. In the upper right corner, click Create Agency.

  3. Select Cloud Service and set Cloud Service to DWS.
  4. Click Finish. In the displayed dialog box, click OK to grant the KMS Administrator permission to the agency.

  5. Click Next. Select All resources or specific resources, confirm the information, and click Submit.

Procedure

  1. Log in to the GaussDB(DWS) console. In the navigation pane on the left, choose Dedicated Clusters > Clusters.
  2. In the cluster list, locate the row that contains the target cluster and choose More > Convert to Encrypted Cluster in the Operation column.

    Note

    The positions of the function keys in the Operation column are dynamic. To ensure that there are always two function keys visible before More, any function keys that typically appear only when you hover over More will be moved to a position directly before More. This adjustment occurs if there are some functions whose keys are supposed to be placed before More but are not supported for the current site.

  3. In the dialog box that is displayed, select the key source, key name, and encryption algorithm to convert the cluster to an encrypted cluster.

    • Method 1: Select a key name.
    • Method 2: Enter the key ID. Enter the key ID used for authorizing the current tenant.

      When you grant permissions on the Creating a Grant page, the authorized object must be an account instead of a user. The authorized operations must at least contain Querying key details, Encrypting data, and Decrypting data.

  4. After the conversion, you can click the cluster name to go to the Cluster Details page to view the cluster details. For details, see Viewing Database Encryption Information.
Предыдущая статья
Rotating Encryption Keys
Следующая статья
GaussDB(DWS) Cluster Management
Была ли эта статья полезна?
Поддержка Юридические документы
© 2025 Cloud.ru