pingcap · sunxiaoguang · Dec 20, 2025 · Dec 20, 2025 · Dec 20, 2025 · Dec 22, 2025
diff --git a/tidb-cloud/security-concepts.md b/tidb-cloud/security-concepts.md
@@ -221,6 +221,18 @@ TiDB Cloud safeguards static data with advanced encryption capabilities, ensurin
 
 - For TiDB Cloud Dedicated clusters without CMEK, TiDB Cloud uses escrow keys; {{{ .starter }}} and {{{ .essential }}} clusters rely exclusively on escrow keys.
 
+**Dual-layer encryption**
+
+- Dual-layer encryption protects data with two independent layers of encryption. This method provides enhanced security by protecting against the compromise of any single encryption layer.
+
+- The cloud provider where your cluster is running encrypts all persisted data at rest using its native storage-level encryption mechanisms.
+
+- On top of the cloud provider's encryption, TiDB Cloud adds a second encryption layer by automatically encrypting data at rest using either customer-managed encryption keys (CMEK) or escrow keys.
+
+- Dual-layer encryption is **disabled** by default for {{{ .starter }}} clusters and **enabled** by default for {{{ .essential }}} clusters.
+
+- Dual-layer encryption is **enabled** by default for all TiDB Cloud Dedicated clusters and cannot be disabled.
+
 **Best practices:**
 
 - Regularly rotate CMEK keys to enhance security and meet compliance standards.
@@ -255,4 +267,4 @@ Records detailed database operations, including executed SQL statements and user
 
 - Use logs for compliance reporting and forensic analysis.
 
-For more information, see [Console Audit Logging](/tidb-cloud/tidb-cloud-console-auditing.md) and [Database Audit Logging](/tidb-cloud/tidb-cloud-auditing.md).
+For more information, see [Console Audit Logging](/tidb-cloud/tidb-cloud-console-auditing.md) and [Database Audit Logging](/tidb-cloud/tidb-cloud-auditing.md).