Updated on 2025-08-22 GMT+08:00

Overview

As enterprise data is migrated to the cloud, data security and privacy protection are facing increasingly severe challenges. The encrypted database will solve the privacy protection issues in the entire data lifecycle, covering network transmission, data storage, and data running status. Furthermore, the encrypted database can implement data privacy permission separation in a cloud scenario, that is, separate data owners from data administrators in terms of the read permission. The encrypted equality query is used to solve equality query issues of ciphertext data.

Encryption Model

A fully-encrypted database uses a multi-level encryption model. The encryption model involves three objects: data, column key, and master key, which are described as follows:

  • Data, including:
    • Data contained in the SQL syntax. For example, the INSERT...VALUES ('data') syntax contains 'data'.
    • Query result returned from the database server, for example, the query result returned after the SELECT... syntax is executed.

    An encrypted database encrypts data of encrypted columns in the SQL syntax in the driver and decrypts the query result of the encrypted columns returned from the database server.

  • Column key: Data is encrypted by using column keys. The column keys are generated by the database driver or manually imported by users. The column key ciphertext is stored on the database server.
  • Master key: Column keys are encrypted by using master keys. The master keys are generated and stored by an external key manager. The database driver automatically accesses the external key manager to encrypt and decrypt column keys.

Overall Process

The process of using a fully-encrypted database consists of the following five phases. This section describes the overall process. Using gsql to Operate an Encrypted Database and Using JDBC to Operate an Encrypted Database describe the detailed process.

1. Master key generation phase: First, you need to generate a master key in Huawei Cloud key management service, and prepare parameters for accessing the master key, such as the key ID and key service account.

2. Configuration phase: On the database driver side, set parameters for accessing the master key.

3. DDL statement execution phase: In this phase, you can use the key syntax of the encrypted database to define the master key and column key in sequence, define the table, and specify a column in the table as an encrypted column. When defining the master key and column key, you need to access the master key generated in the previous phase.

4. DML statement execution phase: After an encrypted table is created, you can directly execute syntax including but not limited to INSERT, SELECT, UPDATE, and DELETE. The database driver automatically encrypts and decrypts data of the encrypted column based on the encryption definition in the previous phase.

5. Cleanup phase: Delete the encrypted table, column key, and master key in sequence.

Master Key Generation Phase

If you use the encrypted database for the first time, you need to perform the preparation. The next time you use the database, you can skip this phase.

The encrypted database can use different external keys to manage the master key. Select one of them as required.

  • Huawei Cloud scenario
    1. Register an account with the Huawei Cloud official website and log in to the system.
    2. Search for Identity and Access Management (IAM) on the Huawei Cloud official website. On the page that is displayed, click Create User, set the IAM password for the IAM user, and grant the data encryption workshop (DEW) permission to the new IAM user.

    3. Go back to the login page, click IAM User, and log in to the system as the newly created IAM user. The subsequent operations are all performed by the IAM user.
    4. Search for Data Encryption Workshop on Huawei Cloud. On the page that is displayed, click Key Management Service and click Create Key to create a key. After the key is created, you can see that each key has a key ID. Remember the key ID, which will be used when you create a master key in the DDL statement execution phase.

    5. The key generated in this step is the master key used in the encrypted database. The key is stored in Huawei Cloud key management service. When SQL statements related to encryption and decryption are executed, the database driver automatically accesses the key through the RESTful API of Huawei Cloud.

Configuration Phase

Configuring Parameters for Accessing External Keys

  • Huawei Cloud scenario
    Configure the following information through environment variables.
    export HUAWEI_KMS_INFO='iamUrl=https://iam.{Project}.myhuaweicloud.com/v3/auth/tokens, iamUser={IAM username}, iamPassword={IAM user key}, iamDomain={Account name}, kmsProject={Project}'

    On the Huawei Cloud console, click the username in the upper right corner and go to the API Credentials page. On this page, you can obtain the required parameters, including project, IAM username, and account name. Remember the project ID on this page, which will be used when you create a master key in the DDL statement execution phase.

    Figure 1 Obtaining parameters on the Huawei Cloud page
    # Example
    export HUAWEI_KMS_INFO='iamUrl=https://iam.cn-north-4.myhuaweicloud.com/v3/auth/tokens, iamUser=test_user, iamPassword=**********, iamDomain=test_account, kmsProject=cn-north-4'