- Release Notes and Announcements
- Release Notes
- Announcements
- Announcement on the Rule-Based Audit Feature for Database Audit
- Announcement on Some APIs with CAM Authentication Integrated
- Announcement on Some APIs with CAM Authentication Integrated
- Notice on Elimination of Some Indicators in Event Alarms
- Commercial Billing for Database Proxy
- TencentDB for MySQL Audit Upgrade
- Added Authentication APIs
- API Authentication Upgrade
- TencentDB for MySQL API 2.0 Discontinuation
- Monitoring Module Upgrade in Shanghai Region
- Monitoring Metric Optimization
- Network Architecture Upgrade
- Change of APIs for Querying the Specifications of Purchasable Database Instances
- Replacement of Certain Old Database Proxy APIs
- Added Advanced Monitoring Metrics
- Change of Calculation Formula for Memory Utilization
- Monitoring Module Upgrade and Optimization in Guangzhou and Shanghai Regions
- Monitoring Module Upgrade
- Parameter Template and Instance Purchase Process Optimization
- Binlog Will Take up Disk Space
- User Tutorial
- Product Introduction
- Kernel Features
- Overview
- Kernel Version Release Notes
- Functionality Features
- Performance Features
- Security Features
- Stability Features
- TXRocks Engine
- Purchase Guide
- Billing Overview
- Selection Guide
- Purchase Methods
- Renewal
- Payment Overdue
- Refund
- Pay-as-You-Go to Monthly Subscription
- Instance Adjustment Fee
- Backup Space Billing
- Database Audit Billing Overview
- Commercial Billing and Activity Description for Database Proxy
- Description of the Database Proxy Billing Cycle
- Viewing Bills
- Getting Started
- Database Audit
- MySQL Cluster Edition
- Operation Guide
- Use Limits
- Operation Overview
- Instance Management and Maintenance
- Instance Upgrade
- CPU Elastic Expansion
- Read-Only/Disaster Recovery Instances
- Database Proxy
- Account Management
- Database Management Center (DMC)
- Parameter Configuration
- Network and Security
- Backup and Rollback
- Data Migration
- Monitoring and Alarms
- Operation Logs
- Tag
- Practical Tutorial
- Usage Specifications of TencentDB for MySQL
- Configuring Automatic Application Reconnection
- Impact of Modifying MySQL Source Instance Parameters
- Limits on Automatic Conversion from MyISAM to InnoDB
- Creating VPCs for TencentDB for MySQL
- Enhancing Business Load Capacity with TencentDB for MySQL
- Setting up 2-Region-3-DC Disaster Recovery Architecture
- Improving TencentDB for MySQL Performance with Read/Write Separation
- Migrating Data from InnoDB to RocksDB with DTS
- Building LAMP Stack for Web Application
- Building Drupal Website
- Building All-Scenario High-Availability Architecture
- Calling MySQL APIs in Python
- White Paper
- Troubleshooting
- API Documentation
- History
- Introduction
- API Category
- Data Import APIs
- Rollback APIs
- Parameter APIs
- Making API Requests
- Instance APIs
- StopCpuExpand
- StartCpuExpand
- DescribeCpuExpandStrategy
- AddTimeWindow
- BalanceRoGroupLoad
- CloseWanService
- CreateRoInstanceIp
- DeleteTimeWindow
- DescribeCdbZoneConfig
- DescribeDBFeatures
- DescribeDBInstanceCharset
- DescribeDBInstanceConfig
- DescribeDBInstanceGTID
- DescribeDBInstanceInfo
- DescribeDBInstanceRebootTime
- DescribeDBSwitchRecords
- DescribeRoGroups
- DescribeRoMinScale
- DescribeTagsOfInstanceIds
- DescribeTimeWindow
- IsolateDBInstance
- ModifyAutoRenewFlag
- ModifyDBInstanceName
- ModifyDBInstanceProject
- ModifyDBInstanceVipVport
- ModifyInstanceTag
- ModifyNameOrDescByDpId
- ModifyRoGroupInfo
- ModifyTimeWindow
- OfflineIsolatedInstances
- OpenDBInstanceEncryption
- OpenDBInstanceGTID
- OpenWanService
- ReleaseIsolatedDBInstances
- RenewDBInstance
- RestartDBInstances
- StartReplication
- StopReplication
- SwitchDBInstanceMasterSlave
- SwitchDrInstanceToMaster
- SwitchForUpgrade
- UpgradeDBInstanceEngineVersion
- CreateDBInstance
- CreateDBInstanceHour
- DescribeDBInstances
- UpgradeDBInstance
- DescribeDBZoneConfig
- CreateDeployGroup
- DeleteDeployGroups
- DescribeDeployGroupList
- Database Proxy APIs
- AdjustCdbProxy
- AdjustCdbProxyAddress
- CloseCDBProxy
- CloseCdbProxyAddress
- CreateCdbProxy
- CreateCdbProxyAddress
- DescribeCdbProxyInfo
- DescribeProxyCustomConf
- DescribeProxySupportParam
- ModifyCdbProxyAddressDesc
- ModifyCdbProxyAddressVipAndVPort
- ModifyCdbProxyParam
- ReloadBalanceProxyNode
- SwitchCDBProxy
- UpgradeCDBProxyVersion
- Database Audit APIs
- Security APIs
- Task APIs
- Account APIs
- Backup APIs
- CreateBackup
- DeleteBackup
- DescribeBackupDownloadRestriction
- DescribeBackupOverview
- DescribeBackupSummaries
- DescribeBinlogBackupOverview
- DescribeDataBackupOverview
- DescribeLocalBinlogConfig
- DescribeRemoteBackupConfig
- DescribeSlowLogs
- ModifyBackupDownloadRestriction
- ModifyLocalBinlogConfig
- ModifyRemoteBackupConfig
- DescribeBackups
- DescribeBackupConfig
- DescribeBackupDecryptionKey
- DescribeBackupEncryptionStatus
- DescribeBinlogs
- ModifyBackupConfig
- ModifyBackupEncryptionStatus
- Database APIs
- Monitoring APIs
- Log-related API
- Data Types
- Error Codes
- FAQs
- Service Agreement
- Reference
- Glossary
- Contact Us
- Preset Plugin List
- Release Notes and Announcements
- Release Notes
- Announcements
- Announcement on the Rule-Based Audit Feature for Database Audit
- Announcement on Some APIs with CAM Authentication Integrated
- Announcement on Some APIs with CAM Authentication Integrated
- Notice on Elimination of Some Indicators in Event Alarms
- Commercial Billing for Database Proxy
- TencentDB for MySQL Audit Upgrade
- Added Authentication APIs
- API Authentication Upgrade
- TencentDB for MySQL API 2.0 Discontinuation
- Monitoring Module Upgrade in Shanghai Region
- Monitoring Metric Optimization
- Network Architecture Upgrade
- Change of APIs for Querying the Specifications of Purchasable Database Instances
- Replacement of Certain Old Database Proxy APIs
- Added Advanced Monitoring Metrics
- Change of Calculation Formula for Memory Utilization
- Monitoring Module Upgrade and Optimization in Guangzhou and Shanghai Regions
- Monitoring Module Upgrade
- Parameter Template and Instance Purchase Process Optimization
- Binlog Will Take up Disk Space
- User Tutorial
- Product Introduction
- Kernel Features
- Overview
- Kernel Version Release Notes
- Functionality Features
- Performance Features
- Security Features
- Stability Features
- TXRocks Engine
- Purchase Guide
- Billing Overview
- Selection Guide
- Purchase Methods
- Renewal
- Payment Overdue
- Refund
- Pay-as-You-Go to Monthly Subscription
- Instance Adjustment Fee
- Backup Space Billing
- Database Audit Billing Overview
- Commercial Billing and Activity Description for Database Proxy
- Description of the Database Proxy Billing Cycle
- Viewing Bills
- Getting Started
- Database Audit
- MySQL Cluster Edition
- Operation Guide
- Use Limits
- Operation Overview
- Instance Management and Maintenance
- Instance Upgrade
- CPU Elastic Expansion
- Read-Only/Disaster Recovery Instances
- Database Proxy
- Account Management
- Database Management Center (DMC)
- Parameter Configuration
- Network and Security
- Backup and Rollback
- Data Migration
- Monitoring and Alarms
- Operation Logs
- Tag
- Practical Tutorial
- Usage Specifications of TencentDB for MySQL
- Configuring Automatic Application Reconnection
- Impact of Modifying MySQL Source Instance Parameters
- Limits on Automatic Conversion from MyISAM to InnoDB
- Creating VPCs for TencentDB for MySQL
- Enhancing Business Load Capacity with TencentDB for MySQL
- Setting up 2-Region-3-DC Disaster Recovery Architecture
- Improving TencentDB for MySQL Performance with Read/Write Separation
- Migrating Data from InnoDB to RocksDB with DTS
- Building LAMP Stack for Web Application
- Building Drupal Website
- Building All-Scenario High-Availability Architecture
- Calling MySQL APIs in Python
- White Paper
- Troubleshooting
- API Documentation
- History
- Introduction
- API Category
- Data Import APIs
- Rollback APIs
- Parameter APIs
- Making API Requests
- Instance APIs
- StopCpuExpand
- StartCpuExpand
- DescribeCpuExpandStrategy
- AddTimeWindow
- BalanceRoGroupLoad
- CloseWanService
- CreateRoInstanceIp
- DeleteTimeWindow
- DescribeCdbZoneConfig
- DescribeDBFeatures
- DescribeDBInstanceCharset
- DescribeDBInstanceConfig
- DescribeDBInstanceGTID
- DescribeDBInstanceInfo
- DescribeDBInstanceRebootTime
- DescribeDBSwitchRecords
- DescribeRoGroups
- DescribeRoMinScale
- DescribeTagsOfInstanceIds
- DescribeTimeWindow
- IsolateDBInstance
- ModifyAutoRenewFlag
- ModifyDBInstanceName
- ModifyDBInstanceProject
- ModifyDBInstanceVipVport
- ModifyInstanceTag
- ModifyNameOrDescByDpId
- ModifyRoGroupInfo
- ModifyTimeWindow
- OfflineIsolatedInstances
- OpenDBInstanceEncryption
- OpenDBInstanceGTID
- OpenWanService
- ReleaseIsolatedDBInstances
- RenewDBInstance
- RestartDBInstances
- StartReplication
- StopReplication
- SwitchDBInstanceMasterSlave
- SwitchDrInstanceToMaster
- SwitchForUpgrade
- UpgradeDBInstanceEngineVersion
- CreateDBInstance
- CreateDBInstanceHour
- DescribeDBInstances
- UpgradeDBInstance
- DescribeDBZoneConfig
- CreateDeployGroup
- DeleteDeployGroups
- DescribeDeployGroupList
- Database Proxy APIs
- AdjustCdbProxy
- AdjustCdbProxyAddress
- CloseCDBProxy
- CloseCdbProxyAddress
- CreateCdbProxy
- CreateCdbProxyAddress
- DescribeCdbProxyInfo
- DescribeProxyCustomConf
- DescribeProxySupportParam
- ModifyCdbProxyAddressDesc
- ModifyCdbProxyAddressVipAndVPort
- ModifyCdbProxyParam
- ReloadBalanceProxyNode
- SwitchCDBProxy
- UpgradeCDBProxyVersion
- Database Audit APIs
- Security APIs
- Task APIs
- Account APIs
- Backup APIs
- CreateBackup
- DeleteBackup
- DescribeBackupDownloadRestriction
- DescribeBackupOverview
- DescribeBackupSummaries
- DescribeBinlogBackupOverview
- DescribeDataBackupOverview
- DescribeLocalBinlogConfig
- DescribeRemoteBackupConfig
- DescribeSlowLogs
- ModifyBackupDownloadRestriction
- ModifyLocalBinlogConfig
- ModifyRemoteBackupConfig
- DescribeBackups
- DescribeBackupConfig
- DescribeBackupDecryptionKey
- DescribeBackupEncryptionStatus
- DescribeBinlogs
- ModifyBackupConfig
- ModifyBackupEncryptionStatus
- Database APIs
- Monitoring APIs
- Log-related API
- Data Types
- Error Codes
- FAQs
- Service Agreement
- Reference
- Glossary
- Contact Us
- Preset Plugin List
Overview
TencentDB for MySQL comes with the transparent data encryption (TDE) feature. Transparent encryption means that the data encryption and decryption are transparent to users. TDE supports real-time I/O encryption and decryption of data files. It encrypts data before it is written to disk, and decrypts data when it is read into memory from disk, which meets the compliance requirements of static data encryption.
Key Management Instructions
TencentDB for MySQL does not provide the keys and certificates required for encryption. The keys used for transparent data encryption are generated and managed by the KMS. The relevant explanations regarding the keys are as follows.
The TDE feature incurs no additional charges; however, the Key Management System will generate extra costs. Please refer to the Billing Overview for more details.
The Key Management System (Postpaid Version) will cease operations on December 30, 2024. From this date forward, the Key Management System will no longer support the pay-as-you-go billing model, exclusively supporting a prepaid billing approach.
For existing users of the Key Management System (Postpaid Version), an account in arrears will be unable to get keys from KMS, potentially hindering tasks such as migration and upgrades from proceeding as planned.
For users who have newly purchased the Key Management System (Prepaid Edition), when their account is in arrears, the Key Management System, having been prepaid for a certain period, will not affect the retrieval of KMS keys, nor will it impact tasks such as migration and upgrading during this period. Please be mindful of the renewal time for your KMS keys. Failure to renew them upon expiration will also affect the use of Transparent Data Encryption features. To manage your KMS keys, please visit the Key Management System Console.
The regions supported by the TencentDB for MySQL instances and the Key Management System differ. When creating a key, if there is no corresponding region in China available on the Key Management System, you may opt to create it in the Guangzhou region. Conversely, if there is no corresponding overseas region available, you may choose to create it in the Hong Kong region.
After TDE is enabled, if an account (UIN) has not previously created any encrypted tables, the corresponding key information may not be displayed in the key list. Conversely, if an account (UIN) has created encrypted tables, the corresponding key information will be visible. For instructions on creating encrypted tables, please refer to the Frequently Asked Questions.
Prerequisites
The instance architecture must be either General or Dedicated two-node/three-node.
The database version must be MySQL 5.7 or 8.0.
You have activated Key Management Service (KMS). If not, you can enable it as instructed during the TDE activation process.
You have granted KMS key permissions. If not, you can grant permissions as instructed during the TDE activation process.
Your account needs the
QcloudAccessForMySQLRole permission. To do so, you can follow the instructions provided during the TDE activation process.Use Limits
Once the authorization is revoked, MySQL databases will be inaccessible upon restart.
TDE can’t be disabled once enabled.
Once TDE is enabled, you need to decrypt data before you can restore it to a local database.
TDE enhances the security of static data while compromising the read-write performance of encrypted databases. Therefore, use it based on your actual needs.
If the source instance is associated with a read-only or disaster recovery instance, you only need to enable TDE for the source instance, which will then be automatically enabled for its associated instances.
When utilizing the TDE feature, please ensure that the KMS key is in a normal operational state. Failure to do so may result in an inability to get keys from KMS, potentially hindering tasks such as migration and upgrades from proceeding as expected.
After TDE is enabled, more CPU resources will be consumed, and about 5% of the performance will be compromised.
After TDE is enabled, authenticated applications and users can access the data transparently.
After TDE is enabled, the efficiency of backup compression may decrease.
Directions
Enabling TDE
1. Log in to the TencentDB for MySQL console. In the instance list, click an instance ID or Manage in the Operation column to enter the instance management page.
2. On the Data Security tab, toggle on Encryption Status.
Note:
An instance with TDE enabled cannot be restored from a physical backup to a self-created database on another server.
TDE can't be disabled once enabled.
3. In the pop-up dialog box, activate the KMS, grant the KMS key permissions, select a key, and click Encrypt.
If you select Use key auto-generated by Tencent Cloud, the key will be auto-generated by Tencent Cloud.
If you select Use existing custom key, you can select a key created by yourself.
Note:
If there are no custom keys, click go to create to create keys in the KMS console. For more information, see Creating a Key.
Encrypting a table
Once you enable TDE, you can encrypt a table of a MySQL instance by running the example DDL statements on the table.
To encrypt a table upon creation, run the following statement:
CREATE TABLE t1 (c1 INT) ENCRYPTION='Y';
To encrypt an existing table, run the following statement:
ALTER TABLE t1 ENCRYPTION='Y';
Decrypting a table
Once you enable TDE, you can decrypt a table of a MySQL instance by running the example DDL statement on the table.
To decrypt an encrypted table, run the following statement:
ALTER TABLE t1 ENCRYPTION='N';
Frequently Asked Questions
Why does the key list lack key information after enabling TDE?
Issue Phenomenon
Normal Key List After Enabling TDE Encryption
Recommended Actions
1. Firstly, verify the encryption status of KMS to ensure it is functioning correctly. Check whether the account is in arrears, and ascertain if there are any overdue payments for the Cloud Database MySQL instance and the Key Management System. Please ensure all the aforementioned conditions are met before attempting again.
2. Should this be your inaugural endeavor with TDE encryption, and no encrypted tables have previously been established under your account (UIN), the key list will be devoid of key information. Please refer to the commands below to create an encrypted table within your data instance and attempt again.
CREATE TABLE `user_test` (`id` bigint(20) NOT NULL AUTO_INCREMENT,`userId` int(11) NOT NULL,`age` int(11) NOT NULL,`name` varchar(64) DEFAULT NULL,`ins_date` varchar(10) DEFAULT NULL,PRIMARY KEY (`id`),KEY `idx_ins_date` (`ins_date`),KEY `idx_userId` (`userId`)) ENGINE=InnoDB DEFAULT CHARSET=utf8 ENCRYPTION='Y';
Why is the key unusable after enabling TDE?
Please verify that your KMS encryption status is functioning normally, and ensure that your account is not in arrears. Additionally, confirm that both your TencentDB for MySQL instance and Key Management System are not in a state of expiration without payment. Given that the Key Management System (postpaid version) can no longer be created, and new purchases of the Key Management System are limited to the prepaid version only, users who are currently utilizing the Key Management System (postpaid version) will find that their keys become unusable in the event of an abnormal KMS encryption status or account delinquency. Therefore, it is advised to recharge your account and attempt again.
Yes
No
Was this page helpful?