tencent cloud

Feedback

Enabling Transparent Data Encryption

Last updated: 2022-11-07 17:53:32

    Overview

    TencentDB for MySQL comes with the transparent data encryption (TDE) feature. Transparent encryption means that the data encryption and decryption are transparent to users. TDE supports real-time I/O encryption and decryption of data files. It encrypts data before it is written to disk, and decrypts data when it is read into memory from disk, which meets the compliance requirements of static data encryption.

    Limits

    • The database version must be MySQL 5.7 or 8.0.
    • Key Management Service (KMS) must be activated. To do so, you can follow the instructions provided during the TDE activation process.
    • KMS key permissions must be granted. To do so, you can follow the instructions provided during the TDE activation process.
    • Your account needs the QcloudAccessForMySQLRole permission. To do so, you can follow the instructions provided during the TDE activation process.
      Note:


      -The keys used for encryption are generated and managed by KMS. TencentDB for MySQL does not provide keys or certificates required for encryption.

    • If your account has overdue payment, you cannot get keys from KMS, which may cause instance migration and upgrade tasks to fail. For more information, see Notes on Arrears.

    Notes

    • Once the authorization is revoked, MySQL databases will be inaccessible upon restart.
    • TDE can't be disabled once enabled.
    • Once TDE is enabled, you need to decrypt data before you can restore it to a local database.
    • TDE enhances the security of static data while compromising the read-write performance of encrypted databases. Therefore, use it based on your actual needs.
    • If the source instance is associated with a read-only or disaster recovery instance, you only need to enable TDE for the source instance, which will then be automatically enabled for its associated instances.
    • After TDE is enabled, if your account has overdue payment, you cannot get keys from KMS, which may cause migration, upgrade, and other tasks to fail.
    • After TDE is enabled, more CPU resources will be consumed, and about 5% of the performance will be compromised.

    Directions

    Enabling TDE

    1. Log in to the TencentDB for MySQL console. In the instance list, click an instance ID or Manage in the Operation column to enter the instance management page.
    2. On the Data Encryption tab, toggle on Encryption Status.
      Note:

      • An instance with TDE enabled cannot be restored from a physical backup to a self-created database on another server.
      • Once you enable TDE, you cannot disable it.
    3. In the pop-up dialog box, activate the KMS, grant the KMS key permissions, select a key, and click Encrypt.
      • If you select Use key auto-generated by Tencent Cloud, the key will be auto-generated by Tencent Cloud.
      • If you select Use existing custom key, you can select a key created by yourself.
        Note:

        If there are no custom keys, click go to create to create keys in the KMS console. For more information, see Creating a Key.

    Encrypting a table

    Once you enable TDE, you can encrypt a table of a MySQL instance by running the example DDL statements on the table.

    • To encrypt a table upon creation, run the following statement:

      CREATE TABLE t1 (c1 INT) ENCRYPTION='Y';
      
    • To encrypt an existing table, run the following statement:

      ALTER TABLE t1 ENCRYPTION='Y';
      

    Decrypting a table

    Once you enable TDE, you can decrypt a table of a MySQL instance by running the example DDL statement on the table.
    To decrypt an encrypted table, run the following statement:

    ALTER TABLE t1 ENCRYPTION='N';
    
    Contact Us

    Contact our sales team or business advisors to help your business.

    Technical Support

    Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

    7x24 Phone Support