Feature Introduction
TDSQL Boundless provides the Transparent Data Encryption (TDE) feature based on Tencent Cloud's enterprise-grade Key Management Service (KMS). KMS is a key service from Tencent Cloud that protects data and key security. All processes involved in the service communicate using high-security protocols, ensuring a high level of security. The service provides distributed cluster management and hot backup, guaranteeing high reliability and availability.
KMS employs a two-layer key system, which involves two types of keys: the Master Key and the Data Key. Users create and manage Customer Master Keys (CMKs) through Tencent Cloud KMS. Data Keys are generated by TDSQL and are the keys actually used for encryption. All Data Keys are encrypted as a whole by the Customer Master Key using the AES-256-GCM symmetric encryption algorithm in the form of a Key Manifest and then flushed to disk. This two-layer key system ensures that all static data on the disk remains encrypted. Data Keys are automatically rotated every 7 days by default, and historical keys are retained to support the decryption of old files.
Supported Versions
TDSQL Boundless version V21.6.2.0 and later.
Use Cases
Transparent Data Encryption (TDE) means that data encryption and decryption operations are transparent to users. It supports real-time I/O encryption and decryption for data files. Data is encrypted before being written to disk and decrypted when read from disk into memory. This meets the compliance requirements for encrypting data at rest.
Usage Notes