Transparent Data Encryption

This document describes the Transparent Data Encryption (TDE) feature of TDSQL-C for MySQL.
Feature Overview
The TDE feature makes data encryption and decryption operations transparent to the user.
Application Scenario
With the TDE feature, real-time I/O encryption and decryption are supported for data files. Data is encrypted before being written to the disk and decrypted when memory is read from the disk, which can meet compliance requirements for static data encryption.
Prerequisites
Instance version is MySQL 5.7 2.1.12 or later, or MySQL 8.0 3.1.15.005 or later.
The instance is running.
Precautions
To use the TDE feature, the Key Management Service (KMS) should be enabled. If not enabled, it can be enabled during the TDE enablement process as guided.
To use the TDE feature, KMS key permissions should be granted. If not granted, they can be granted during the TDE enablement process as guided.
To operate the account, you should have QcloudAccessForMySQLRole permissions. If you do not have the permissions, you can be granted with them during the TDE enablement process as guided.
Billing Instructions
The keys used for encryption are generated and managed by the  Key Management Service (KMS) . The TDSQL-C for MySQL data encryption feature incurs no additional charges, but KMS may generate additional fees. For more details, please refer to the  Billing Overview .
Use Limitations
Only symmetric encryption is supported.
If the grant of permissions is revoked after TDE is enabled to operate the account, instance re-enablement will cause the database to be unavailable.
TDE can only be enabled and cannot be disabled. Once TDE is enabled, the certificate key on the instance cannot be deleted.
After the KMS Custom Master Key is deleted, the user instance will become unavailable.
If the TDE feature is enabled and the account is in an overdue status, keys cannot be obtained from KMS, which may cause migration, upgrade, and other tasks to fail to proceed normally.
Operations
Enabling data encryption
1. Log in to the TDSQL-C for MySQL console and click cluster ID in the cluster list to enter the cluster management page.
2. Select the Data Security tab on the cluster management page.
3. Select Data Encryption and click the button before Not activated to enable the data encryption feature.
﻿
4. In the pop-up dialog box, select the key method and click OK.
Note:
If you have not enabled the KMS service or have not been granted with KMS key permissions before, you need to follow the prompts in the dialog box to click Enable after the KMS service and then click Proceed to authorize after the grant of KMS key permissions, so as to complete the corresponding enablement or authorization operations to unlock subsequent settings of the data encryption feature.
﻿
Selecting Keys
Use of the key auto-generated by Tencent Cloud: The system will automatically generate the key.
Use of an existing custom key: You can select a key that you have custom-created.
Region: If you use an existing custom key, you need to select the region where the existing key is located.
Key: If you use an existing custom key, you can select the existing key by its name. If there are no created keys, you can click Go to Create to create one in the KMS console, and then reselect.
5. When the cluster running status changes from "Running Asynchronous Task: Data Encryption" to "Running", data encryption is successfully enabled. To check task progress, you can go to the Task List to query.
Encrypting Data Tables
After the data encryption feature is enabled, users need to perform the following Data Definition Language (DDL) operations on the database tables to encrypt data.
If you want to encrypt the table during table creation, execute the following command:
CREATE TABLE t1 (c1 INT) ENCRYPTION='Y';
If you want to encrypt an existing table, execute the following command:
ALTER TABLE t1 ENCRYPTION='Y';
Decrypting Data Tables
After the data encryption feature is enabled, perform the following DDL operations if you need to decrypt an encrypted table.
ALTER TABLE t1 ENCRYPTION='N';

Was this page helpful?

You can also Contact Sales or Submit a Ticket for help.

Yes

tencent cloud

New User Offers

Next-Generation CDN：EdgeOne

Elasticsearch Service Special Offers

Free Tier

Tencent Cloud Startup Program

Special Offers

Lighthouse Special Offers

Cloud Object Storage Special Offers

Featured Products

New Products

Education

Tencent Cloud Online Education Solutions

Gaming

Gaming Solution

Game Media Solutions

Financial Services

Financial Services Solution

Audio & Video

Audio/Video Solution

LVB Recording Solution

Interactive Classroom Solution

Interactive Live Streaming Solution

Audio Chat Social Networking Solution

Real Estate

Tencent Cloud LinkBase(Weiling)

E-commerce

E-commerce retail solutions

Compute

Cloud Virtual Machine

Auto Scaling

Batch Compute

CVM Dedicated Host

Database

TencentDB for MySQL

TencentDB for Redis®

TencentDB for CTSDB

TDSQL for MySQL

Data Transfer Service

TencentDB for MongoDB

TencentDB for PostgreSQL

TencentDB for SQL Server

TencentDB for TcaplusDB

Video Service

Cloud Streaming Services

Video on Demand

Media Processing Service

Cloud Application Rendering

Cloud Contact Center

Game Multimedia Engine

Chat

Real-time Communication

Tencent Effect SDK

AI and Machine Learning

Image Creation Large Model

Face Fusion

eKYC

Optical Character Recognition

Video Creation Large Model

Industry Applications

Tencent HealthCare Omics Platform

Container and Middleware

TDMQ for CKafka

Serverless Cloud Function

Tencent Kubernetes Engine

Tencent Kubernetes Engine for Serverless

Networking

Cloud Load Balancer

Virtual Private Cloud

Direct Connect

Cloud Connect Network

NAT Gateway

VPN Connection

Bandwidth Package

Anycast Internet Acceleration

Elastic Network Interface

Flow Logs

Global Application Acceleration Platform

Security

Captcha