This article is shared from Huawei Cloud Community " GaussDB (for MySQL) new feature TDE released: supports transparent data encryption ", author: GaussDB database.
technical background
In order to protect the security of data, we may use firewalls, identity authentication, security authority control, network and port access control, transmission encryption and other methods to carry out security prevention and control in all aspects of the program running process, but these do not guarantee that the data is static Security stored in physical media; if a malicious party steals a physical media such as a hard drive, it is possible to restore and obtain the data stored in it.
Transparent Data Encryption (TDE), as a mechanism to protect data when the data is "resting", performs real-time I/O encryption and decryption of data files; data is encrypted before being written to the disk, and is read from the disk. It is decrypted when it is entered into the memory, so that the data exists in plain text in the database shared memory and in cipher text in the data storage medium, which can effectively protect the security of static data storage.
characteristic value
The core value of TDE, a new feature of GaussDB (for MySQL), lies in the static security protection of data, while also helping to solve regulatory compliance challenges related to user security:
(1) Data protection: Supports two encryption algorithms, AES256 and SM4, to encrypt data and protect data security, helping to solve users' needs for regulatory compliance.
(2) Transparent access: Users of the database do not realize that the information they are accessing is encrypted when stored at the underlying layer. Users who have been authenticated by the database can access the data transparently, and the upper-layer application does not need to make any changes.
Implementation principle
- When a user creates or backs up and restores a new database instance, if the TDE switch is turned on, the database service will apply to KMS (Key Management Service) to generate a data key DEK (Data Encryption Key).
- GaussDB (for MySQL) uses DEK to encrypt data before writing it to the storage unit and decrypt it when reading it from the storage unit into the memory. The encryption algorithm supports AES256 and SM4.
- The DEK is stored in the memory of GaussDB (for MySQL). After re-decrypting the DEK to KMS in the restart scenario, it is cached in the memory and continues to be used for encryption, decryption, reading and writing.
- For business applications, they access the database and are not aware of the underlying encryption and decryption actions; the upper-layer business can connect to the TDE encryption instance without any adaptation actions.
Business scenario/process
Enable TDE encryption for new instances
When purchasing a GaussDB (for MySQL) database, select the encryption algorithm and turn on the TDE switch to create a GaussDB (for MySQL) instance that supports TDE. Once TDE is turned on for a database instance, the off switch is not supported.
Restore existing data backup to new encrypted instance
The TDE switch can only be turned on when creating a new database instance. For existing data, if you also want to encrypt the data, you can support it by backing up and restoring it to a new encrypted instance. The scenarios supported by the backup and restore function are as shown in the figure below: Support has never been Encryption to encryption, encryption to encryption path, restore backup data to a new TDE encrypted instance.
Summarize
GaussDB (for MySQL) implements the Transparent Data Encryption (TDE) feature and supports two encryption algorithms, AES256 and SM4. Customers can enable TDE when creating a new instance, or restore to an encrypted instance through existing instance backup. Encrypt and transform the existing data; achieve the purpose of static security protection of data without making any changes to the upper-layer business.
appendix
- Author of this article: Huawei Cloud GaussDB (for MySQL) team
- Huawei Cloud GaussDB (for MySQL) official product documentation: https://support.huaweicloud.com/gaussdbformysql/index.html
Click to follow and learn about Huawei Cloud’s new technologies as soon as possible~
MySQL 5.7, Moqu, Li Tiaotiao... Taking stock of the (open source) projects and websites that will be "suspended" in 2023. Kingsoft WPS crashed . Linux's Rust experiment was successful. Can Firefox seize the opportunity... 10 predictions about open source The middle school purchased an "intelligent interactive catharsis device" - which is actually a shell for the Nintendo Wii. "Ruiping", the father of Redis, LLM programming: omniscient and omnipotent&& Stupid The "post-open source" era has arrived: the license has expired and cannot serve the general public. Vim 9.1 is released , dedicated to Bram Moolenaar 2024 "New Year's Battle" in the front-end circle: React digs holes but does not fill them, must it rely on documentation to fill them? China Unicom Broadband suddenly limited the upload speed, and a large number of users complained. Niklaus Wirth, the father of Pascal, passed away.