Updated on 2024-09-05 GMT+08:00

Overview

Encrypting GaussDB(DWS) Databases

In GaussDB(DWS), you can enable database encryption for a cluster to protect static data. After you enable encryption, data of the cluster and its snapshots is encrypted. Encryption is an optional and immutable setting that can be configured during cluster creation. To encrypt an unencrypted cluster, you must export all data from the unencrypted cluster and import it into a new cluster that has database encryption enabled. GaussDB(DWS) encrypts data as it is written to the database, and automatically decrypts it when queried, returning the results to the user.

If encryption is required, enable it during cluster creation. Although encryption is an optional setting of GaussDB(DWS), you are advised to enable this setting for clusters to protect data.

  • The DWS 3.0 cluster does not support database encryption.
  • The database encryption function can be enabled or disabled when a cluster is created. It cannot be enabled after a cluster is created. Once enabled, it cannot be disabled. For details, see Encrypting the Database.
  • After a normal cluster is created, you can convert it to an encrypted cluster.
  • After Encrypt DataStore is enabled, the key cannot be disabled, deleted, or frozen when being used. Otherwise, the cluster becomes abnormal and the database becomes unavailable.
  • Snapshots created after the database encryption function is enabled cannot be restored using open APIs.

Viewing Database Encryption Information

  1. Log in to the GaussDB(DWS) console.
  2. In the navigation pane on the left, choose Clusters > Dedicated Clusters.
  3. Click the name of a cluster. The Cluster Information page is displayed.
  4. In the Data Encryption Information area on the cluster information page, view the database encryption information, as shown in Table 1.

    Table 1 Data encryption information

    Parameter

    Description

    Key Name

    Indicates the database encryption key of the cluster when Encrypt DataStore is enabled.

    Last Key Rotation Time

    Indicates the time when the last encryption key is rotated when Encrypt DataStore is enabled.

    Cryptographic Algorithm

    Indicates the encryption algorithm of the cluster when Encrypt DataStore is enabled.

    Encryption algorithms include:

    • AES256 (general encryption algorithm, SM algorithms not supported)
    • SM4 (compatible with international algorithms)

    If database encryption is disabled by default during cluster creation, the encryption module is not displayed on the cluster details page.

Encrypting GaussDB(DWS) Databases Using KMS

When you choose KMS to manage GaussDB(DWS) keys, a three-layer key management structure is adopted, including the cluster master key (CMK), cluster encryption key (CEK), and database encryption key (DEK).

  • The CMK is used to encrypt the CEK and is stored in KMS.
  • The CEK is used to encrypt the DEK. The CEK plaintext is stored in the data warehouse cluster's memory, and the ciphertext is stored in GaussDB(DWS).
  • The DEK is used to encrypt database data. The DEK plaintext is stored in the data warehouse cluster's memory, and the ciphertext is stored in GaussDB(DWS).

The procedure of using the keys is as follows:

  1. You choose a CMK.
  2. GaussDB(DWS) randomly generates the CEK and DEK plaintext.
  3. KMS uses the CMK you choose to encrypt the CEK plaintext and imports the encrypted CEK ciphertext to GaussDB(DWS).
  4. GaussDB(DWS) uses the CEK plaintext to encrypt the DEK plaintext and saves the encrypted DEK ciphertext.
  5. GaussDB(DWS) transfers the DEK plaintext to the cluster and loads it to the cluster's memory.

When the cluster is restarted, it automatically requests the DEK plaintext from GaussDB(DWS) through an API. GaussDB(DWS) loads the CEK and DEK ciphertext to the cluster's memory, invokes KMS to decrypt the CEK using the CMK, loads the CEK to the memory, decrypts the DEK using the CEK plaintext, loads the DEK to the memory, and returns it to the cluster.

Rotating Encryption Keys

Encryption key rotation is used to update the ciphertext stored on GaussDB(DWS). On GaussDB(DWS), you can rotate the encrypted CEK of an encrypted cluster.

The procedure of rotating the keys is as follows:

  1. The GaussDB(DWS) cluster starts key rotation.
  2. GaussDB(DWS) decrypts the CEK ciphertext stored on GaussDB(DWS) based on the CMK to obtain the CEK plaintext.
  3. Use the obtained CEK plaintext to decrypt the DEK ciphertext in GaussDB(DWS) to obtain the DEK plaintext.
  4. GaussDB(DWS) randomly generates new CEK plaintext.
  5. GaussDB(DWS) uses the new CEK plaintext to encrypt the DEK and saves the encrypted DEK ciphertext.
  6. Use the CMK to encrypt the new CEK plaintext and import the encrypted CEK ciphertext to GaussDB(DWS).

You can plan the key rotation interval based on service requirements and data types. To improve data security, you are advised to periodically rotate the keys to prevent the keys from being cracked. Once you find that your keys may have been disclosed, rotate the keys in time.

  • When GaussDB(DWS) rotates the cluster's CEK, snapshots of the cluster do not need CEK rotation, because the CEK is not stored in snapshots. The CEK plaintext is stored in the GaussDB(DWS) cluster memory, and the ciphertext is stored in GaussDB(DWS).
  • The DEK is not updated during key rotation, so data encryption and decryption are not affected.