Updated on 2023-03-30 GMT+08:00

Transparent Data Encryption

Description

Transparent Data Encryption (TDE) encrypts GaussDB(DWS) data files. Generally, threat mitigation measures are taken to protect data security. For example, design a secure system, encrypt confidential assets, or build a firewall around database servers. However, in a scenario where the physical media (for example, disks) are stolen by attackers or internal personnel, the malicious party can just restore or attach the database and browse the data. One solution is to encrypt the sensitive data in the database and protect the keys that are used to encrypt the data. This prevents anyone without the keys from using the data, but this kind of protection must be planned. The GaussDB(DWS) provides a complete solution.

TDE performs real-time I/O encryption and decryption of the data. Users are unaware of the encryption. The encryption uses a database encryption key (DEK), which is not stored in the cluster. The DEK is a symmetric key secured by using the cluster encryption key (CEK) stored in the KMS server. Database servers store only DEK ciphertext. During database startup, each CN/DN uses identity authentication (for example, Kerberos) to connect to the KMS server, decrypts the DEK ciphertext to obtain the key plaintext, and caches it in the memory. Once the host is powered off or the cluster is shut down, keys are deleted. Therefore, do not lose key files in the cluster because they are irrecoverable.

Use Cases

In a traditional database cluster, user data is stored in plaintext in column-store or row-store files. Cluster maintenance personnel or malicious attackers can bypass the database permission control mechanism in the OS or steal disks to access user data. GaussDB(DWS) adopts and enhances the Hadoop KMS. The connection to third-party KMS helps GaussDB(DWS) achieve transparent data encryption for data security.

GaussDB(DWS) obtains keys from the third-party KMS through the Hadoop KMS.

Figure 1 Data storage encryption

GaussDB(DWS) Transparent Encryption

In GaussDB(DWS) database-level transparent encryption, each GaussDB(DWS) cluster has a CEK, and each database is configured with a DEK. DEKs are encrypted using the CEK and their ciphertext is stored in GaussDB(DWS) clusters. Keys are applied for, encrypted, and decrypted through the KMS service. The encryption algorithm is configured using configuration items. Currently, the AES and SM4 algorithms are supported. The SM4 algorithm supports hardware acceleration in chips of Hi 1620 or later.

Currently, database-level transparent encryption is supported. You need to configure encryption when creating a cluster.

For details about how to configure transparent encryption, see Encrypting GaussDB(DWS) Databases.