1. Data encryption
The key for data encryption is generated by the system's complex logic to change the wallet password. The wallet password is specified by the user and must meet the password complexity requirements.
- Note:
GaussDB does not provide an interface to modify the wallet password. Once you have set it, please keep it in mind.
01. Set the wallet password for data encryption.
Use the following SQL command to set the wallet password. Take setting the wallet password to gaussdb_123 as an example:
ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY 'gaussdb_123';
Description:
- After the wallet password is set, GaussDB generates a key for data encryption through a series of complex changes to the wallet password .
- The wallet password and the key used for data encryption are encrypted and stored in the wallet.tablespace file in the directory specified by the wallet_directory parameter.
02. Turn on encrypted data access.
Encrypted data access is enabled through the set wallet password. GaussDB will verify the password entered by the user. Only when the entered password is exactly the same as the set wallet password can the encryption function be used. Take the wallet password gaussdb_123 as an example:
ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY 'gaussdb_123';
Description:
- If the password verification is passed, GaussDB will decrypt the key used for data encryption through a series of complex inverse operations.
03. Create an encrypted table space.
Take the creation of an encrypted table space TABLESPACE_FVT_TABLESPACE_ENCRYPT as an example:
CREATE TABLESPACE TABLESPACE_FVT_TABLESPACE_ENCRYPT LOCATION '/home/gaussdba/FVT_TABLESPACE_ENCRYPT' ENCRYPTION;
or:
CREATE TABLESPACE TABLESPACE_FVT_TABLESPACE_ENCRYPT LOCATION '/home/gaussdba/FVT_TABLESPACE_ENCRYPT' ENCRYPTION USING 'AES128';
Description:
- The functions of the above two SQL commands are exactly the same, and either of them can be used.
- In the second SQL command to create an encrypted tablespace, the USING keyword is the encryption algorithm used for encrypted storage. Currently, the value must be AES128. Other encryption algorithms are temporarily not supported.
04. Store the data table that stores the user's sensitive information in the encrypted table space.
CREATE TABLE TABLE_FVT_TABLESPACE_ENCRYPT(F TEXT) TABLESPACE TABLESPACE_FVT_TABLESPACE_ENCRYPT;
INSERT INTO TABLE_FVT_TABLESPACE_ENCRYPT VALUES('HELLO WORLD!');
05. Turn off encrypted data access.
When you no longer need to access encrypted data, you can turn off encrypted data access through the following SQL command. Once closed, all access to encrypted data cannot be performed.
ALTER SYSTEM SET ENCRYPTION WALLET CLOSE IDENTIFIED BY 'gaussdb_123';