Skip to content

cloud: Premium supports Dual-layer Data Encryption (CMEK) #22625

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
ljun0712 wants to merge 3 commits into
base: feature/preview-one-console
Choose a base branch
from
+183 −0
Open

cloud: Premium supports Dual-layer Data Encryption (CMEK) #22625

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
b386571
Dual-layer Data Encryption (CMEK)
ljun0712 Mar 24, 2026
c283255
Apply suggestion from @gemini-code-assist[bot]
ljun0712 Mar 24, 2026
b82306f
Apply suggestion from @gemini-code-assist[bot]
ljun0712 Mar 24, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
183 changes: 183 additions & 0 deletions tidb-cloud/premium/tidb-cloud-encrypt-cmek-aws-premium.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,183 @@
---
title: Dual-layer Data Encryption
summary: Learn how to enable Dual-layer Data Encryption on Premium TiDB.
aliases: ['/tidbcloud/premium/tidb-cloud-encrypt-cmek']
---

# Dual-layer Data Encryption

Premium enables data encryption at rest by default on TiDB service instance storage and snapshot volumes. This provides basic encryption capabilities to enhance data security. Building on this, Premium allows you to combine TiDB service's storage engine encryption with your cloud provider's KMS, adding another layer of data encryption (Dual-layer Data Encryption).
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot Mar 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

low

This introductory paragraph can be rephrased for better clarity and conciseness.

Suggested change
Premium enables data encryption at rest by default on TiDB service instance storage and snapshot volumes. This provides basic encryption capabilities to enhance data security. Building on this, Premium allows you to combine TiDB service's storage engine encryption with your cloud provider's KMS, adding another layer of data encryption (Dual-layer Data Encryption).
By default, Premium encrypts data at rest for TiDB instance storage and snapshot volumes. This provides a baseline of data security. To further enhance security, you can enable Dual-layer Data Encryption, which combines the TiDB service's storage engine encryption with your cloud provider's Key Management Service (KMS).
References
  1. The documentation should be clear and simple for users to understand. (link)


> **Note:**
>
> The Premium Dual-layer Data Encryption feature will increase your data storage costs. Please see the pricing policy for more information.

## Restrictions

- Currently, Premium's Dual-layer Data Encryption only supports providing key services using AWS KMS.
- Premium's Dual-layer Data Encryption covers data from TiKV, CDC, and BR components. Encryption of TiFlash data will be supported soon.
- When Dual-layer Data Encryption is enabled on Premium TiDB, encryption properties will not be allowed to be modified.
- Only KMS master key rotation is supported; rotation of other keys is not supported.
- User-configured encryption algorithms are not supported.
- The AWS region for CMEK needs to be consistent with the TiDB instance.
- When CMEK encryption is enabled in Premium, backup data for TiDB instances does not support cross-region recovery operations.
Comment on lines +17 to +23
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot Mar 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

low

This list of restrictions can be improved for clarity, conciseness, and adherence to the style guide (e.g., using active voice and addressing the user directly). Consider rephrasing as follows:

Suggested change
- Currently, Premium's Dual-layer Data Encryption only supports providing key services using AWS KMS.
- Premium's Dual-layer Data Encryption covers data from TiKV, CDC, and BR components. Encryption of TiFlash data will be supported soon.
- When Dual-layer Data Encryption is enabled on Premium TiDB, encryption properties will not be allowed to be modified.
- Only KMS master key rotation is supported; rotation of other keys is not supported.
- User-configured encryption algorithms are not supported.
- The AWS region for CMEK needs to be consistent with the TiDB instance.
- When CMEK encryption is enabled in Premium, backup data for TiDB instances does not support cross-region recovery operations.
- Currently, Premium Dual-layer Data Encryption only supports AWS KMS.
- Premium Dual-layer Data Encryption covers data from TiKV, CDC, and BR components. Encryption for TiFlash data will be supported soon.
- After you enable Dual-layer Data Encryption on a Premium TiDB instance, you cannot modify its encryption properties.
- Only automatic rotation of the KMS master key is supported. You cannot rotate other keys.
- You cannot use custom encryption algorithms.
- The AWS region for your CMEK must be the same as your TiDB instance's region.
- When you enable CMEK encryption in Premium, you cannot perform cross-region recovery operations for TiDB instance backup data.
References
  1. Write in second person ("you") when addressing users and prefer active voice. (link)


> **Note:**
>
> Premium will continue to be improved and will support Alibaba Cloud KMS and Azure Key Vault as soon as possible.

## Feature Introduction

### Encryption mechanism

Premium supports two layers of data-at-rest encryption to ensure data security. These two layers are Dual-layer Data Encryption and Storage-layer Data Encryption. You can manage Premium's Dual-layer Data Encryption yourself. Premium's Storage-layer Data Encryption is enabled by default, and you cannot disable it.

- Dual-layer Data Encryption
- This is a layer of data encryption added by TiDB Cloud on top of the storage layer data encryption.
- This data encryption is at the database level. Static data encryption covers: TiKV's stored data and BR's backup data.
- Data is already encrypted within the TiDB database system, effectively preventing data leakage during subsequent transfers.

- Storage-layer Data Encryption
- This is data encryption implemented by cloud service providers on their storage services.
- It mainly includes disk encryption and bucket encryption. For example, for AWS, this is EBS encryption and S3 encryption.

Check failure on line 42 in tidb-cloud/premium/tidb-cloud-encrypt-cmek-aws-premium.md

View workflow job for this annotation

GitHub Actions / vale 

[vale] reported by reviewdog 🐶
[PingCAP.Spacing] 'n.  F' should have one space.

Raw Output:
{"message": "[PingCAP.Spacing] 'n.  F' should have one space.", "location": {"path": "tidb-cloud/premium/tidb-cloud-encrypt-cmek-aws-premium.md", "range": {"start": {"line": 42, "column": 60}}}, "severity": "ERROR"}

#### Backup & Restore Description
When Dual-layer Data Encryption is enabled for Premium TiDB, the backup data for that Premium TiDB instance is also encrypted. For a new Premium TiDB instance restored from backup data, its encryption attributes and KMS master key will remain consistent with the original Premium TiDB instance.

Access to backup data also relies on the KMS master key configured for Dual-layer Data Encryption. To ensure backup data availability, you need to pay attention to the following:

- You need to maintain the availability of the KMS master key associated with the backup data. Even if the Premium TiDB instance is deleted, you must ensure the availability of the associated KMS master key so that the backup data can be recovered.
- When you perform backup data recovery operations, you need to configure the same KMS master key (the one associated with the backup data). You must ensure that the key is correctly authorized to guarantee that the backup data can be accessed normally.

### Key Management Mechanism

Premium's Dual-layer Data Encryption supports providing master keys for data encryption at rest based on AWS KMS. Customers can configure their KMS master keys according to their own security compliance and maintenance requirements. Premium offers two KMS master key configuration methods: Customer-Managed Encryption Key (CMEK) and Service-Managed Encryption Key.

- Customer-Managed Encryption Key (CMEK):
- This is the KMS Master Key provided by the customer. This gives the customer greater control over TiDB data encryption, resulting in higher security.
- Customers are required to ensure the security and availability of their Customer-Managed Encryption Key (CMEK). If customers delete their configured Customer-Managed Encryption Key (CMEK), Premium TiDB will malfunction, and encrypted data at rest will be unrecoverable.
- If customers prioritize encryption security, they can choose this option—providing CMEK to enable Dual-layer Data Encryption.

- Service-Managed Encryption Key
- This is the KMS master key provided by TiDB Cloud for its customers. It does not require user maintenance.
- If customers prioritize both security and convenience, they can select the Service-Managed Encryption Key when enabling Dual-layer Data Encryption.

#### Service-Managed Encryption Key Description

- The Service-Managed Encryption Key is a symmetric encryption key.
- The Service-Managed Encryption Key is automatically created when a customer creates the first Premium TiDB instance in a region that uses this key for encryption.
- Premium creates one Service-Managed Encryption Key for each organization within the same region. Multiple Premium TiDB instances within the same region will share this key.
- Once all data encrypted with the Service-Managed Encryption Key within an organization has been cleaned up, the Service-Managed Encryption Key will be cleaned up as well.

## Feature Configuration

### Enable Dual-layer Data Encryption when creating Premium TiDB

Customers can choose to enable Dual-layer Data Encryption when creating Premium TiDB. When enabling Dual-layer Data Encryption, customers can configure the encrypted KMS master key according to their own security compliance and maintenance requirements. There are two configuration options for the KMS master key: Customer-Managed Encryption Key (CMEK) and Service-Managed Encryption Key.

#### Customer-Managed Encryption Key (CMEK)

If you wish to enable Dual-layer Data Encryption based on the Customer-Managed Encryption Key (CMEK), please follow these steps.

##### Step 1. Create a symmetric encryption key in your AWS KMS (Preparation)

To enable CMEK-based dual-layer data encryption, you need to create a symmetric encryption key in AWS KMS. The KMS master key you create must be consistent with the region where your TiDB service resides. For more details, see [Create a symmetric encryption KMS key](https://docs.aws.amazon.com/kms/latest/developerguide/create-symmetric-cmk.html).

##### Step 2. When creating Premium TiDB, configure CMEK in Dual-layer Data Encryption.

Check failure on line 86 in tidb-cloud/premium/tidb-cloud-encrypt-cmek-aws-premium.md

View workflow job for this annotation

GitHub Actions / vale 

[vale] reported by reviewdog 🐶
[PingCAP.HeadingPunctuation] Don't put a period at the end of a heading.

Raw Output:
{"message": "[PingCAP.HeadingPunctuation] Don't put a period at the end of a heading.", "location": {"path": "tidb-cloud/premium/tidb-cloud-encrypt-cmek-aws-premium.md", "range": {"start": {"line": 86, "column": 86}}}, "severity": "ERROR"}

Dual-layer Data Encryption should only be enabled when creating Premium TiDB. To do this, follow these steps:
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot Mar 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

This sentence is misleading, as you can enable Dual-layer Data Encryption on an existing instance, which is described in a later section. It should be removed or rephrased to avoid confusion.

Suggested change
Dual-layer Data Encryption should only be enabled when creating Premium TiDB. To do this, follow these steps:
To configure CMEK when creating a Premium TiDB instance, follow these steps:
References
  1. Ensure documentation is clear and technically accurate. (link)


1. On the My TiDB page, click "Create Resource".
2. In the Plan, select Premium and complete the basic configuration.
3. In Dual-Layer Data Encryption, click "Enable".
4. Then select Customer-Managed Encryption Key (CMEK) and click "Add KMS Key ARN" to enter the key configuration page.
5. Copy and save the JSON file as ROLE-TRUST-POLICY.JSON. This file describes the trust relationship.
6. On your AWS KMS service, you need to add this trust relationship to the key policy. For more information, refer to [Key policies in AWS KMS](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html).
7. In the TiDB Cloud console, scroll to the bottom of the key creation page, and then fill in the KMS Key ARN obtained from AWS KMS.
8. Click “Test and Add KMS Key ARN” to check the key trust relationship. After the key trust relationship is configured correctly, you can return to the Premium creation process.

Check failure on line 97 in tidb-cloud/premium/tidb-cloud-encrypt-cmek-aws-premium.md

View workflow job for this annotation

GitHub Actions / vale 

[vale] reported by reviewdog 🐶
[PingCAP.ZhPunctuation] Don't use Chinese punctuation (”) in English text.

Raw Output:
{"message": "[PingCAP.ZhPunctuation] Don't use Chinese punctuation (”) in English text.", "location": {"path": "tidb-cloud/premium/tidb-cloud-encrypt-cmek-aws-premium.md", "range": {"start": {"line": 97, "column": 35}}}, "severity": "ERROR"}

Check failure on line 97 in tidb-cloud/premium/tidb-cloud-encrypt-cmek-aws-premium.md

View workflow job for this annotation

GitHub Actions / vale 

[vale] reported by reviewdog 🐶
[PingCAP.ZhPunctuation] Don't use Chinese punctuation (“) in English text.

Raw Output:
{"message": "[PingCAP.ZhPunctuation] Don't use Chinese punctuation (“) in English text.", "location": {"path": "tidb-cloud/premium/tidb-cloud-encrypt-cmek-aws-premium.md", "range": {"start": {"line": 97, "column": 10}}}, "severity": "ERROR"}
9. Click “Create” to create Premium TiDB.

Check failure on line 98 in tidb-cloud/premium/tidb-cloud-encrypt-cmek-aws-premium.md

View workflow job for this annotation

GitHub Actions / vale 

[vale] reported by reviewdog 🐶
[PingCAP.ZhPunctuation] Don't use Chinese punctuation (”) in English text.

Raw Output:
{"message": "[PingCAP.ZhPunctuation] Don't use Chinese punctuation (”) in English text.", "location": {"path": "tidb-cloud/premium/tidb-cloud-encrypt-cmek-aws-premium.md", "range": {"start": {"line": 98, "column": 17}}}, "severity": "ERROR"}

Check failure on line 98 in tidb-cloud/premium/tidb-cloud-encrypt-cmek-aws-premium.md

View workflow job for this annotation

GitHub Actions / vale 

[vale] reported by reviewdog 🐶
[PingCAP.ZhPunctuation] Don't use Chinese punctuation (“) in English text.

Raw Output:
{"message": "[PingCAP.ZhPunctuation] Don't use Chinese punctuation (“) in English text.", "location": {"path": "tidb-cloud/premium/tidb-cloud-encrypt-cmek-aws-premium.md", "range": {"start": {"line": 98, "column": 10}}}, "severity": "ERROR"}
Comment on lines +90 to +98
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot Mar 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

low

The UI instructions can be made clearer by bolding UI elements and improving the wording. This makes the steps easier to follow. The same formatting should be applied to other step-by-step instructions in this document (lines 104-108, 122-128, 134-136).

Suggested change
1. On the My TiDB page, click "Create Resource".
2. In the Plan, select Premium and complete the basic configuration.
3. In Dual-Layer Data Encryption, click "Enable".
4. Then select Customer-Managed Encryption Key (CMEK) and click "Add KMS Key ARN" to enter the key configuration page.
5. Copy and save the JSON file as ROLE-TRUST-POLICY.JSON. This file describes the trust relationship.
6. On your AWS KMS service, you need to add this trust relationship to the key policy. For more information, refer to [Key policies in AWS KMS](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html).
7. In the TiDB Cloud console, scroll to the bottom of the key creation page, and then fill in the KMS Key ARN obtained from AWS KMS.
8. Click Test and Add KMS Key ARN to check the key trust relationship. After the key trust relationship is configured correctly, you can return to the Premium creation process.
9. Click Create to create Premium TiDB.
1. On the **My TiDB** page, click **Create Resource**.
2. In **Plan**, select **Premium** and complete the basic configuration.
3. In **Dual-Layer Data Encryption**, click **Enable**.
4. Select **Customer-Managed Encryption Key (CMEK)** and click **Add KMS Key ARN** to go to the key configuration page.
5. Copy and save the JSON content as a file named `ROLE-TRUST-POLICY.JSON`. This file describes the trust relationship.
6. In your AWS KMS service, add this trust relationship to the key policy. For more information, see [Key policies in AWS KMS](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html).
7. In the TiDB Cloud console, scroll to the bottom of the key creation page, and then enter the KMS Key ARN that you get from AWS KMS.
8. Click **Test and Add KMS Key ARN** to check the key trust relationship. If the check passes, you can return to the Premium creation page.
9. Click **Create** to create the Premium TiDB instance.
References
  1. Use ordered lists for steps and backticks for code snippets, command names, options, and paths. While not explicitly stated for UI elements, bolding them improves readability. (link)


#### Service-Managed Encryption Key

If you wish to enable Dual-layer Data Encryption based on the Service-Managed Encryption Key, you need to configure it when creating Premium TiDB. Please follow these steps.

1. On the My TiDB page, click "Create Resource".
2. In the Plan, select Premium and complete the basic configuration.
3. In Dual-Layer Data Encryption, click "Enable".
4. Then select Service-Managed Encryption Key.
5. After completing the remaining configurations for Premium TiDB, click "Create" to complete the creation of Premium TiDB.

### Enable Dual-layer Data Encryption on an existing unencrypted Premium TiDB

If you did not enable Dual-layer Data Encryption when creating Premium TiDB, you can still enable it after successful creation. There are two configuration options for the KMS master key: Customer-Managed Encryption Key (CMEK) and Service-Managed Encryption Key.

> **Note:**
>
> Enable Dual-layer Data Encryption on an existing Premium TiDB instance that does not have encryption enabled. This activation process will take some time.

#### Customer-Managed Encryption Key (CMEK)

You need to prepare a symmetric encryption key on your AWS KMS beforehand. Then follow these steps:

1. On the Security page of Premium TiDB service, you can click "Enable" for the Dual-layer Data Encryption feature.
2. Then select Customer-Managed Encryption Key (CMEK) and click "Add KMS Key ARN" to enter the key configuration page.
3. Copy and save the JSON file as ROLE-TRUST-POLICY.JSON. This file describes the trust relationship.
4. On your AWS KMS service, you need to add this trust relationship to the key policy. For more information, refer to [Key policies in AWS KMS](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html).
5. In the TiDB Cloud console, scroll to the bottom of the key creation page, and then fill in the KMS Key ARN obtained from AWS KMS.
6. Click “Test and Add KMS Key ARN” to check the key trust relationship.

Check failure on line 127 in tidb-cloud/premium/tidb-cloud-encrypt-cmek-aws-premium.md

View workflow job for this annotation

GitHub Actions / vale 

[vale] reported by reviewdog 🐶
[PingCAP.ZhPunctuation] Don't use Chinese punctuation (”) in English text.

Raw Output:
{"message": "[PingCAP.ZhPunctuation] Don't use Chinese punctuation (”) in English text.", "location": {"path": "tidb-cloud/premium/tidb-cloud-encrypt-cmek-aws-premium.md", "range": {"start": {"line": 127, "column": 35}}}, "severity": "ERROR"}

Check failure on line 127 in tidb-cloud/premium/tidb-cloud-encrypt-cmek-aws-premium.md

View workflow job for this annotation

GitHub Actions / vale 

[vale] reported by reviewdog 🐶
[PingCAP.ZhPunctuation] Don't use Chinese punctuation (“) in English text.

Raw Output:
{"message": "[PingCAP.ZhPunctuation] Don't use Chinese punctuation (“) in English text.", "location": {"path": "tidb-cloud/premium/tidb-cloud-encrypt-cmek-aws-premium.md", "range": {"start": {"line": 127, "column": 10}}}, "severity": "ERROR"}
7. Click “Enable” to enable the Dual-layer Data Encryption feature.

Check failure on line 128 in tidb-cloud/premium/tidb-cloud-encrypt-cmek-aws-premium.md

View workflow job for this annotation

GitHub Actions / vale 

[vale] reported by reviewdog 🐶
[PingCAP.ZhPunctuation] Don't use Chinese punctuation (“) in English text.

Raw Output:
{"message": "[PingCAP.ZhPunctuation] Don't use Chinese punctuation (“) in English text.", "location": {"path": "tidb-cloud/premium/tidb-cloud-encrypt-cmek-aws-premium.md", "range": {"start": {"line": 128, "column": 10}}}, "severity": "ERROR"}

#### Service-Managed Encryption Key

When enabling Dual-layer Data Encryption, you can directly select the Service-Managed Encryption Key. Please follow these steps.

1. On the Security page of Premium TiDB service, you can click "Enable" for the Dual-layer Data Encryption feature.
2. Then select Service-Managed Encryption Key.
3. Click “Enable” to enable the Dual-layer Data Encryption feature.

### View Dual-layer Data Encryption

After enabling Dual-layer Data Encryption in Premium TiDB, you can view it in the following two places:

- You can view the "Encryption" property on the Overview page. The encryption property will display the source of the KMS master key, namely "Enabled with Customer-Managed Encryption Key (CMEK)" and "Enabled with Service-Managed Encryption Key".
- You can view the Dual-layer Data Encryption configuration properties on the Premium TiDB Security page.

### Backup data restore operation under Dual-layer Data Encryption

Backup data generated by a Premium TiDB instance with Dual-layer Data Encryption enabled is also encrypted. Therefore, when restoring this backup data to a new TiDB instance, it is necessary to maintain the consistency of the encryption properties.

#### Customer-Managed Encryption Key (CMEK)

If the Premium TiDB instance is encrypted using a Customer-Managed Encryption Key (CMEK), then verification is required during the recovery process to ensure that the new Premium TiDB instance can correctly access the KMS master key.
During the recovery process, the following checks need to be performed in Dual-layer Data Encryption:

1. In Dual-layer Data Encryption, the key ARN remains unchanged. Click "Check" here to proceed with the KMS master key trust policy check process.
2. In the KMS master key trust check process, check whether the TiDB Cloud account granted in the key policy has changed (compare it with the TiDB Cloud account associated with the original backup TiDB instance).
3. If the TiDB Cloud account in the key policy is the same as the TiDB Cloud account associated with the original backup TiDB instance, then it is not necessary to re-authorize the KMS master key.
4. If the TiDB Cloud account in the key policy is different from the TiDB Cloud account associated with the original backup TiDB instance, then you need to copy the key policy here and then authorize the key in AWS KMS. This ensures that the new Premium TiDB can correctly access the KMS master key.
Comment on lines +154 to +157
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot Mar 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

low

These steps for the restore process can be rephrased for better clarity and to make them easier to follow.

Suggested change
1. In Dual-layer Data Encryption, the key ARN remains unchanged. Click "Check" here to proceed with the KMS master key trust policy check process.
2. In the KMS master key trust check process, check whether the TiDB Cloud account granted in the key policy has changed (compare it with the TiDB Cloud account associated with the original backup TiDB instance).
3. If the TiDB Cloud account in the key policy is the same as the TiDB Cloud account associated with the original backup TiDB instance, then it is not necessary to re-authorize the KMS master key.
4. If the TiDB Cloud account in the key policy is different from the TiDB Cloud account associated with the original backup TiDB instance, then you need to copy the key policy here and then authorize the key in AWS KMS. This ensures that the new Premium TiDB can correctly access the KMS master key.
1. In the **Dual-layer Data Encryption** section, the key ARN remains unchanged. Click **Check** to start the KMS master key trust policy check process.
2. In the KMS master key trust check process, check whether the TiDB Cloud account granted in the key policy has changed by comparing it with the TiDB Cloud account associated with the original backup's TiDB instance.
3. If the TiDB Cloud account in the key policy is the same as the one associated with the original backup's TiDB instance, you do not need to re-authorize the KMS master key.
4. If the TiDB Cloud account in the key policy is different from the one associated with the original backup's TiDB instance, you need to copy the key policy and authorize the key in AWS KMS. This ensures that the new Premium TiDB instance can correctly access the KMS master key.
References
  1. Ensure step instructions are clear and easy to understand. (link)


#### Service-Managed Encryption Key

If the Premium TiDB instance is encrypted using a Service-Managed Encryption Key, then the restored TiDB instance will also be encrypted using a Service-Managed Encryption Key.
Therefore, during the recovery process, you will see that Dual-layer Data Encryption for Premium TiDB is enabled, and the key type is Service-Managed Encryption Key.

### Rotate Customer-Managed Encryption Key (CMEK)

You can configure [automatic CMEK rotation](https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html) on AWS KMS. You do not need to update the encryption configuration on TiDB Cloud.

### Customer-Managed Encryption Key (CMEK) Authorization Management

If you need to temporarily revoke TiDB Cloud's access to CMEK, follow these steps:

1. On the AWS KMS console, revoke the corresponding permissions and update the KMS Key policy.
2. On the TiDB Cloud console, pause all Premium TiDB instances that use this KMS master key.

Check warning on line 173 in tidb-cloud/premium/tidb-cloud-encrypt-cmek-aws-premium.md

View workflow job for this annotation

GitHub Actions / vale 

[vale] reported by reviewdog 🐶
[PingCAP.console] Use 'in the TiDB Cloud console' instead of 'On the TiDB Cloud console'.

Raw Output:
{"message": "[PingCAP.console] Use 'in the TiDB Cloud console' instead of 'On the TiDB Cloud console'.", "location": {"path": "tidb-cloud/premium/tidb-cloud-encrypt-cmek-aws-premium.md", "range": {"start": {"line": 173, "column": 4}}}, "severity": "INFO"}

> **Note:**
>
> - Revoking CMEK on AWS KMS will not affect running TiDB instances.
> - When pausing and then resuming a TiDB instance, the TiDB service will not be able to resume normally because CMEK is inaccessible.

After revoking TiDB Cloud's access to CMEK, if you need to restore the access, follow these steps:

1. On the AWS KMS console, restore the CMEK access policy.
2. In the TiDB Cloud console, restore the Premium TiDB instance that uses this KMS master key.
Comment on lines +170 to +183
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot Mar 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

low

This section about authorization management can be improved for clarity and correctness. For example, "On the AWS KMS console" should be "In the AWS KMS console", and "restore the Premium TiDB instance" should be "resume the Premium TiDB instance" to be consistent with "pause".

Suggested change
If you need to temporarily revoke TiDB Cloud's access to CMEK, follow these steps:
1. On the AWS KMS console, revoke the corresponding permissions and update the KMS Key policy.
2. On the TiDB Cloud console, pause all Premium TiDB instances that use this KMS master key.
> **Note:**
>
> - Revoking CMEK on AWS KMS will not affect running TiDB instances.
> - When pausing and then resuming a TiDB instance, the TiDB service will not be able to resume normally because CMEK is inaccessible.
After revoking TiDB Cloud's access to CMEK, if you need to restore the access, follow these steps:
1. On the AWS KMS console, restore the CMEK access policy.
2. In the TiDB Cloud console, restore the Premium TiDB instance that uses this KMS master key.
If you need to temporarily revoke TiDB Cloud's access to CMEK, follow these steps:
1. In the AWS KMS console, revoke the corresponding permissions and update the KMS Key policy.
2. In the TiDB Cloud console, pause all Premium TiDB instances that use this KMS master key.
> **Note:**
>
> - Revoking CMEK in AWS KMS does not affect running TiDB instances.
> - If you pause and then resume a TiDB instance, the TiDB service cannot resume normally because the CMEK is inaccessible.
After revoking TiDB Cloud's access to CMEK, if you need to restore the access, follow these steps:
1. In the AWS KMS console, restore the CMEK access policy.
2. In the TiDB Cloud console, resume the Premium TiDB instance that uses this KMS master key.
References
  1. Use consistent and accurate terminology for technical procedures. (link)

Loading