Enabling Transparent Data Encryption

Last updated: 2020-12-01 18:02:06

    Overview

    TencentDB for MySQL comes with the transparent data encryption (TDE) feature. Transparent encryption means that the data encryption and decryption are transparent to users. TDE supports real-time I/O encryption and decryption of data files. It encrypts data before the data is written to disk, and decrypts data when the data is read into memory from disk, which meets the compliance requirements of static data encryption.

    Limits

    • Only TencentDB for MySQL v5.7 supports TDE.
    • Key Management Service (KMS) must be activated. To do so, you can follow the instructions provided during the TDE activation process.
    • KMS key permissions must be granted. You can do so by following the instructions provided during the TDE activation process.
    • Your account needs the QcloudAccessForMySQLRole permission. To do so, you can follow the instructions provided during the TDE activation process.

      Note:

      The keys used for encryption are generated and managed by KMS. TencentDB for MySQL does not provide keys or certificates required for encryption.

    Notes

    • Once the authorization is revoked, MySQL databases will be inaccessible upon restart.
    • Once you enable TDE, you cannot disable it.
    • Once TDE is enabled, you need to decrypt data before you can restore it to a local database.
    • TDE enhances the security of static data but reduces the read-write performance of encrypted databases. Therefore, please use the feature based on your actual needs.
    • If a source instance is associated with a disaster recovery instance, TDE must be enabled on the disaster recovery. Otherwise, the data synchronization of the disaster recovery instance may fail.

    Directions

    Enabling TDE

    1. Log in to the TencentDB for MySQL Console. In the instance list, click the instance ID/name or Manage in the "Operation" column to access the instance management page.
    2. On the Data Encryption tab, click the toggle button next to Encryption Status.

      Note:

      • An instance with TDE enabled cannot be restored from a physical backup to a self-created database on another server.
      • Once you enable TDE, you cannot disable it.
    3. In the pop-up dialog box, activate the KMS, grant the KMS key permissions, select a key, and click Encrypt.
      • If you select Use key auto-generated by Tencent Cloud, the key will be auto-generated by Tencent Cloud.
      • If you select Use existing custom key, you can select a key created by yourself.

        Note:

        If there are no custom keys, click go to create to create keys in the KMS Console. For more information, please see Creating a Key.

    Encrypting a table

    Once you enable TDE, you can encrypt a table of a MySQL instance by running the example DDL statements on the table.

    • To encrypt a table upon creation, run the following statement:
      CREATE TABLE t1 (c1 INT) ENCRYPTION=’Y’;
    • To encrypt an existing table, run the following statement:
      ALTER TABLE t1 ENCRYPTION=Y’;

    Decrypting a table

    Once you enable TDE, you can decrypt a table of a MySQL instance by running the example DDL statement on the table.
    To decrypt an encrypted table, run the following statement:

    ALTER TABLE t1 ENCRYPTION=N’;

    Was this page helpful?

    Was this page helpful?

    • Not at all
    • Not very helpful
    • Somewhat helpful
    • Very helpful
    • Extremely helpful
    Send Feedback
    Help