> For the complete documentation index, see [llms.txt](https://karansingh.gitbook.io/aws-saa-c02/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://karansingh.gitbook.io/aws-saa-c02/rds/rds-encryption.md).

# RDS Encryption

* **RDS can encrypt your Amazon RDS database instances**.
  * **Data that is encrypted at rest** includes the **underlying storage for database instances, its automated backups, read replicas, and snapshots**.

* RDS encrypted DB instances **use the industry standard AES-256 encryption algorithm** to encrypt your data on the server that hosts your Amazon RDS DB instances.<br>

* After your data is encrypted, Amazon **RDS handles authentication of access and decryption of your data transparently with a minimal impact on performance**.<br>

* RDS also **supports encrypting an Oracle or SQL Server DB instance with Transparent Data Encryption (TDE)**.<br>

* **Snapshots of unencrypted databases are unencrypted**.<br>

* **Snapshots of encrypted databases are encrypted**.<br>

* You can **copy an unencrypted snapshot and turn it into an encrypted one**.<br>

* **Encrypt unencrypted RDS database:**\
  1\. **Create a snapshot of the unencrypted database**.\
  \
  2\. **Encrypt the snapshot** (using `copy`).\
  \
  3\. **Restore the database from the encrypted snapshot**.\
  \
  4\. **Migrate applications to the new database**.<br>

* You can **use SSL or TLS from your application to encrypt a connection to a DB instance**.
  * Each DB engine has its own process for implementing SSL/TLS.
