Enable transparent data encryption

Background information

ApsaraDB for OceanBase supports transparent data encryption (TDE) to encrypt data at rest and remote procedure calls (RPCs).

TDE supports two types of keys: service keys and custom keys.

Limits

• Limits on service keys

  • After TDE is enabled, it cannot be disabled.

  • Oracle tenants support the AES-256, AES-128, AES-192, and SM4-CBC encryption algorithms. MySQL tenants support the AES-256 encryption algorithm. After an encryption algorithm is set, it cannot be modified or converted.

• Limits on custom keys

  • After TDE is enabled, it cannot be disabled.

  • Oracle tenants support the AES-256, AES-128, AES-192, and SM4-CBC encryption algorithms. MySQL tenants support the AES-256 encryption algorithm. After an encryption algorithm is set, it cannot be modified or converted.

  • Custom keys are supported in OceanBase Database V2.2.77 and later.

  • The Alibaba Cloud service triggers the creation of the AliyunServiceRoleForOceanBase service role. This role is not created again if it already exists. This role lets you encrypt data for OceanBase services. Make sure that you use an Alibaba Cloud account or an account that has the AliyunSTSAssumeRoleAccess permission.

  • Do not disable, schedule the deletion of, or delete keys in the KMS console. These operations prevent TDE from being enabled.

  • After you create a key in the KMS console, you must add the oceanbase:encryption: true tag to the key.

  • For KMS, only the HSM version is available.

• After TDE is enabled, performance is not affected in update scenarios but is slightly degraded in other scenarios. For more information, see TDE Test Report.

Enable TDE

1. In the navigation pane on the left, click Instance List. Select the target cluster instance and go to the Cluster Instance Workspace page.

2. In the navigation pane on the left, click Security Settings.

3. On the TDE Transparent Encryption tab, you can view the TDE settings.

   1. In the Actions column, click Enable Encryption to enable TDE.

      Note

      After TDE is enabled, it cannot be disabled. TDE also affects performance. Proceed with caution.

   2. In the dialog box, click OK to set the key type.

      You can use a service key or a custom key:

      • Service Key: A key that is generated and managed by ApsaraDB for OceanBase.

        Note

        The supported encryption algorithms are Aliyun_AES_256 and Aliyun_SM4. After an encryption algorithm is set, it cannot be modified or converted.

      • Custom Key: A key that you create using Alibaba Cloud KMS. If you have purchased Alibaba Cloud KMS, you can go to the KMS console to create a custom key. For more information, see Create a key.

      • Note

        1. The supported encryption algorithms are Aliyun_AES_256 and Aliyun_SM4. After an encryption algorithm is set, it cannot be modified or converted.

        2. The Alibaba Cloud service triggers the creation of the AliyunServiceRoleForOceanBase service role. This role is not created again if it already exists. This role lets you encrypt data for OceanBase services.

   3. Select a key type and click OK to enable the TDE feature.

Create an encrypted tablespace

1. In the Actions column, click Create Tablespace.

2. In the Create Tablespace dialog box, enter the Encrypted Tablespace Name and select the Encryption Algorithm.

3. Click OK to create the tablespace.

4. After you create the encrypted tablespace, you can also use the data development feature or other command-line interfaces to run Data Definition Language (DDL) statements. These statements create a table and assign it to the encrypted tablespace. The following examples show how to perform this operation:

   • Oracle tenant

     create table table_name (column1 int, column2 int) tablespace tablespace_name;

   • MySQL tenant

     create table table_name (column1 int, column2 int) tablespace tablespace_name;

   Note

   1. After you enable TDE, you must create an encrypted tablespace on the current page and then run a DDL statement to create an encrypted table. This is required to encrypt data. The following is an example DDL statement that creates an encrypted table: CREATE TABLE t1 (id int,id2 int) TABLESPACE sectest_ts1;

   2. If you add a historical data table to the encrypted tablespace, you must perform a full merge to ensure data persistence.

5. Click the plus sign (+) next to a tenant to view all encrypted tablespace information for that tenant. This information includes the encrypted tablespace name, encryption algorithm, and creation time.

   

6. Click an encrypted tablespace name to view information about the encrypted table, such as its status and encryption progress. The encryption progress indicates the percentage of data blocks that have been encrypted in the current data table.

   

Perform a full merge on historical data tables

To perform a full merge on a historical data table, follow these steps. The example uses an existing table named t1.

1. Set the progressive_merge_num parameter to 1.

   obclient> ALTER TABLE t1 set progressive_merge_num = 1;

2. On the Cluster Instance Workspace page, manually trigger a data merge. For more information, see Data Merge.

3. After the data merge is complete, set the progressive_merge_num parameter back to 0.

   obclient> ALTER TABLE t1 set progressive_merge_num = 0;