- Release Notes and Announcements
- Release Notes
- Announcements
- Announcement on Release of New Upgrade Mechanism for Kernel Minor Version
- Announcement on Optimization of Instance Storage Capacity, IOPS, and I/O Bandwidth
- Announcement on Some APIs with CAM Authentication Integrated
- Announcement on Sales Suspension of Some General Specifications
- Announcement on Some APIs Integrated with CAM Authentication
- Announcement on Some APIs with CAM Authentication Integrated
- Announcement on Change of Part of Parameters
- Announcement on Update of Database Audit Feature
- Announcement on Authentication of a Newly Added API Interface of Database Audit
- Announcement on Change of Public Network Linkage
- TDSQL-C for MySQL Audit Service Update
- Announcement on Supplementary Charge for Clusters with Pay-as-You-Go Storage Billing Mode
- Announcement on New APIs Integrated with CAM Permissions
- Announcement on the Release of New Version of Database Proxy
- Emergency Fix for Certain Monitoring Metrics
- Monitoring Metric Optimization
- Change to Database Audit Resource ID
- Ops Change
- Storage Price Adjustment Notification
- Beginner's Guide
- Product Introduction
- Kernel Features
- Kernel Overview
- Kernel Version Release Notes
- Optimized Kernel Version
- Functionality Features
- Performance Features
- Columns Syntax
- Correlated Subquery Result Cache
- Global Index
- Binlog Write Optimization
- Large Transaction Binlog Optimization
- Binlog Purging Performance Optimization
- Optimization of Plan Caching Point Query
- Auto-Increment Column Persistence
- Invisible Index
- Computation Pushdown
- Parallel Initialization of InnoDB Buffer Pool
- Security Features
- Stability Feature
- Analysis Engine Features
- Purchase Guide
- Getting Started
- Database Audit
- Serverless Service
- Operation Guide
- Switching Cluster Page View in Console
- Database Connection
- Instance Management
- Configuration Adjustment
- Cluster Management
- Scaling Instance
- Database Proxy
- Database Proxy Overview
- Use Limits
- Database Proxy Kernel Features
- Managing Database Proxy
- Enabling Database Proxy
- Setting Database Proxy Address
- Modifying or Deleting Connection Addresses
- Viewing and Changing the Access Policy
- Rebalancing the Load
- Transaction Split Feature
- Access Mode
- Adjusting Database Proxy Configuration
- Switching Database Proxy Network
- Viewing Database Proxy Monitoring Data
- Disabling Database Proxy
- Automatic Read/Write Separation
- Connection Pool Feature
- Other Features
- Account Management
- Database Management
- Database Management Tool
- Columnar Storage Index (CSI)
- Read-Only Analysis Engine
- Parameter Configuration
- Multi-AZ Deployment
- Backup and Restoration
- Operation Log
- Data Migration
- Parallel Query
- Database Security and Encryption
- Monitoring and Alarms
- Basic SQL Operations
- Connecting to TDSQL-C for MySQL Through SCF
- Tag
- Practical Tutorial
- Classified Protection Practice for Database Audit of TDSQL-C for MySQL
- Upgrading Database Version from MySQL 5.7 to 8.0 Through DTS
- Usage Instructions for TDSQL-C MySQL
- New Version of Console
- Implementing Multiple RO Groups with Multiple Database Proxy Connection Addresses
- Strengths of Database Proxy
- Selecting Billing Mode for Storage Space
- Creating Remote Disaster Recovery by DTS
- Creating VPC for Cluster
- Data Rollback
- Solution to High CPU Utilization
- How to Authorize Sub-Users to View Monitoring Data
- White Paper
- API Documentation
- History
- Introduction
- API Category
- Making API Requests
- Billing APIs
- Instance APIs
- CloseClusterPasswordComplexity
- CopyClusterPasswordComplexity
- DescribeClusterDetail
- DescribeClusterPasswordComplexity
- ModifyClusterPasswordComplexity
- OpenClusterPasswordComplexity
- UpgradeClusterVersion
- UpgradeInstance
- SetRenewFlag
- OfflineCluster
- ModifyMaintainPeriodConfig
- IsolateInstance
- IsolateCluster
- DescribeMaintainPeriod
- DescribeInstanceSpecs
- DescribeClusters
- CreateClusters
- AddInstances
- OfflineInstance
- DescribeInstanceDetail
- DescribeClusterInstanceGrps
- DescribeInstances
- ActivateInstance
- ModifyInstanceName
- ModifyClusterName
- SearchClusterTables
- SearchClusterDatabases
- RestartInstance
- Multi-AZ APIs
- Account APIs
- Audit APIs
- Database Proxy APIs
- Backup and Restoration APIs
- Parameter Management APIs
- Performance Analysis APIs
- Serverless APIs
- ResourcePackage APIs
- Other APIs
- CloseWan
- CreateClusterDatabase
- DeleteClusterDatabase
- DescribeClusterDetailDatabases
- ModifyClusterDatabase
- OpenWan
- SwitchClusterVpc
- OpenReadOnlyInstanceExclusiveAccess
- OpenClusterReadOnlyInstanceGroupAccess
- ModifyDBInstanceSecurityGroups
- DescribeProjectSecurityGroups
- DescribeDBSecurityGroups
- SwitchProxyVpc
- DescribeFlow
- DescribeZones
- ModifyVipVport
- Data Types
- Error Codes
- FAQs
- Service Agreement
- TDSQL-C Policy
- General References
- Glossary
- Contact Us
- Release Notes and Announcements
- Release Notes
- Announcements
- Announcement on Release of New Upgrade Mechanism for Kernel Minor Version
- Announcement on Optimization of Instance Storage Capacity, IOPS, and I/O Bandwidth
- Announcement on Some APIs with CAM Authentication Integrated
- Announcement on Sales Suspension of Some General Specifications
- Announcement on Some APIs Integrated with CAM Authentication
- Announcement on Some APIs with CAM Authentication Integrated
- Announcement on Change of Part of Parameters
- Announcement on Update of Database Audit Feature
- Announcement on Authentication of a Newly Added API Interface of Database Audit
- Announcement on Change of Public Network Linkage
- TDSQL-C for MySQL Audit Service Update
- Announcement on Supplementary Charge for Clusters with Pay-as-You-Go Storage Billing Mode
- Announcement on New APIs Integrated with CAM Permissions
- Announcement on the Release of New Version of Database Proxy
- Emergency Fix for Certain Monitoring Metrics
- Monitoring Metric Optimization
- Change to Database Audit Resource ID
- Ops Change
- Storage Price Adjustment Notification
- Beginner's Guide
- Product Introduction
- Kernel Features
- Kernel Overview
- Kernel Version Release Notes
- Optimized Kernel Version
- Functionality Features
- Performance Features
- Columns Syntax
- Correlated Subquery Result Cache
- Global Index
- Binlog Write Optimization
- Large Transaction Binlog Optimization
- Binlog Purging Performance Optimization
- Optimization of Plan Caching Point Query
- Auto-Increment Column Persistence
- Invisible Index
- Computation Pushdown
- Parallel Initialization of InnoDB Buffer Pool
- Security Features
- Stability Feature
- Analysis Engine Features
- Purchase Guide
- Getting Started
- Database Audit
- Serverless Service
- Operation Guide
- Switching Cluster Page View in Console
- Database Connection
- Instance Management
- Configuration Adjustment
- Cluster Management
- Scaling Instance
- Database Proxy
- Database Proxy Overview
- Use Limits
- Database Proxy Kernel Features
- Managing Database Proxy
- Enabling Database Proxy
- Setting Database Proxy Address
- Modifying or Deleting Connection Addresses
- Viewing and Changing the Access Policy
- Rebalancing the Load
- Transaction Split Feature
- Access Mode
- Adjusting Database Proxy Configuration
- Switching Database Proxy Network
- Viewing Database Proxy Monitoring Data
- Disabling Database Proxy
- Automatic Read/Write Separation
- Connection Pool Feature
- Other Features
- Account Management
- Database Management
- Database Management Tool
- Columnar Storage Index (CSI)
- Read-Only Analysis Engine
- Parameter Configuration
- Multi-AZ Deployment
- Backup and Restoration
- Operation Log
- Data Migration
- Parallel Query
- Database Security and Encryption
- Monitoring and Alarms
- Basic SQL Operations
- Connecting to TDSQL-C for MySQL Through SCF
- Tag
- Practical Tutorial
- Classified Protection Practice for Database Audit of TDSQL-C for MySQL
- Upgrading Database Version from MySQL 5.7 to 8.0 Through DTS
- Usage Instructions for TDSQL-C MySQL
- New Version of Console
- Implementing Multiple RO Groups with Multiple Database Proxy Connection Addresses
- Strengths of Database Proxy
- Selecting Billing Mode for Storage Space
- Creating Remote Disaster Recovery by DTS
- Creating VPC for Cluster
- Data Rollback
- Solution to High CPU Utilization
- How to Authorize Sub-Users to View Monitoring Data
- White Paper
- API Documentation
- History
- Introduction
- API Category
- Making API Requests
- Billing APIs
- Instance APIs
- CloseClusterPasswordComplexity
- CopyClusterPasswordComplexity
- DescribeClusterDetail
- DescribeClusterPasswordComplexity
- ModifyClusterPasswordComplexity
- OpenClusterPasswordComplexity
- UpgradeClusterVersion
- UpgradeInstance
- SetRenewFlag
- OfflineCluster
- ModifyMaintainPeriodConfig
- IsolateInstance
- IsolateCluster
- DescribeMaintainPeriod
- DescribeInstanceSpecs
- DescribeClusters
- CreateClusters
- AddInstances
- OfflineInstance
- DescribeInstanceDetail
- DescribeClusterInstanceGrps
- DescribeInstances
- ActivateInstance
- ModifyInstanceName
- ModifyClusterName
- SearchClusterTables
- SearchClusterDatabases
- RestartInstance
- Multi-AZ APIs
- Account APIs
- Audit APIs
- Database Proxy APIs
- Backup and Restoration APIs
- Parameter Management APIs
- Performance Analysis APIs
- Serverless APIs
- ResourcePackage APIs
- Other APIs
- CloseWan
- CreateClusterDatabase
- DeleteClusterDatabase
- DescribeClusterDetailDatabases
- ModifyClusterDatabase
- OpenWan
- SwitchClusterVpc
- OpenReadOnlyInstanceExclusiveAccess
- OpenClusterReadOnlyInstanceGroupAccess
- ModifyDBInstanceSecurityGroups
- DescribeProjectSecurityGroups
- DescribeDBSecurityGroups
- SwitchProxyVpc
- DescribeFlow
- DescribeZones
- ModifyVipVport
- Data Types
- Error Codes
- FAQs
- Service Agreement
- TDSQL-C Policy
- General References
- Glossary
- Contact Us
This document describes the Transparent Data Encryption (TDE) feature of TDSQL-C for MySQL.
Feature Overview
The TDE feature makes data encryption and decryption operations transparent to the user.
Application Scenario
With the TDE feature, real-time I/O encryption and decryption are supported for data files. Data is encrypted before being written to the disk and decrypted when memory is read from the disk, which can meet compliance requirements for static data encryption.
Prerequisites
Instance version is MySQL 5.7 2.1.12 or later, or MySQL 8.0 3.1.15.005 or later.
The instance is running.
Precautions
To use the TDE feature, the Key Management Service (KMS) should be enabled. If not enabled, it can be enabled during the TDE enablement process as guided.
To use the TDE feature, KMS key permissions should be granted. If not granted, they can be granted during the TDE enablement process as guided.
To operate the account, you should have QcloudAccessForMySQLRole permissions. If you do not have the permissions, you can be granted with them during the TDE enablement process as guided.
Billing Instructions
The keys used for encryption are generated and managed by the Key Management Service (KMS) . The TDSQL-C for MySQL data encryption feature incurs no additional charges, but KMS may generate additional fees. For more details, please refer to the Billing Overview .
Use Limitations
Only symmetric encryption is supported.
If the grant of permissions is revoked after TDE is enabled to operate the account, instance re-enablement will cause the database to be unavailable.
TDE can only be enabled and cannot be disabled. Once TDE is enabled, the certificate key on the instance cannot be deleted.
After the KMS Custom Master Key is deleted, the user instance will become unavailable.
If the TDE feature is enabled and the account is in an overdue status, keys cannot be obtained from KMS, which may cause migration, upgrade, and other tasks to fail to proceed normally.
Operations
Enabling data encryption
1. Log in to the TDSQL-C for MySQL console and click cluster ID in the cluster list to enter the cluster management page.
2. Select the Data Security tab on the cluster management page.
3. Select Data Encryption and click the button before Not activated to enable the data encryption feature.
4. In the pop-up dialog box, select the key method and click OK.
Note:
If you have not enabled the KMS service or have not been granted with KMS key permissions before, you need to follow the prompts in the dialog box to click Enable after the KMS service and then click Proceed to authorize after the grant of KMS key permissions, so as to complete the corresponding enablement or authorization operations to unlock subsequent settings of the data encryption feature.
Selecting Keys
Use of the key auto-generated by Tencent Cloud: The system will automatically generate the key.
Use of an existing custom key: You can select a key that you have custom-created.
Region: If you use an existing custom key, you need to select the region where the existing key is located.
Key: If you use an existing custom key, you can select the existing key by its name. If there are no created keys, you can click Go to Create to create one in the KMS console, and then reselect.
5. When the cluster running status changes from "Running Asynchronous Task: Data Encryption" to "Running", data encryption is successfully enabled. To check task progress, you can go to the Task List to query.
Encrypting Data Tables
After the data encryption feature is enabled, users need to perform the following Data Definition Language (DDL) operations on the database tables to encrypt data.
If you want to encrypt the table during table creation, execute the following command:
CREATE TABLE t1 (c1 INT) ENCRYPTION='Y';
If you want to encrypt an existing table, execute the following command:
ALTER TABLE t1 ENCRYPTION='Y';
Decrypting Data Tables
After the data encryption feature is enabled, perform the following DDL operations if you need to decrypt an encrypted table.
ALTER TABLE t1 ENCRYPTION='N';
Yes
No
Was this page helpful?