TDE
Transparent data encryption service (TDE)
Interpretations of terms
Transparent Data Encryption(TDE): Executes the real-time I/O encryption and decryption of the data file. The data is encrypted before written to the disk and is decrypted when reading the memory from the disk. TDE does not help increase the data file size, and the developer may use TDE feature without the need of modifying any applications.
Key Management Service (KMS): a key management service provided by Baidu AI Cloud, through which you may manage information of key kind conveniently, securely, and reliably on the cloud. After being freed from complex key device management and security mechanism, the users may focus on encryption/decryption feature scenarios at the top service layer. View details
Applicable scenarios
Advantages in the use of TDE:
- No need to modify applications.
- Data is encrypted before being written to disk. If data on the disk is stolen, it's impossible to get data without the key.
Enabling conditions
- Instance type and version: support Dual High-availability master instance (MySQL 5.7) and read-only instance (MySQL 5.7).
- Prerequisites: Must eanble the KMS of the current region of the master instance before the use of TDE.
- Corporate organization: Be available for both main account and sub-account
- Binding relationship: The TDE is enabled for read-only instance after being enabled for master instance.
Notices
- Regional limits: KMS enabling region must be the same as current region of the master instance. Only three regions are supported for now, and they are North China-Beijing, East China-Suzhou, and South China-Guangzhou.
- After being enabled: Cannot clone an instance, or create or add a hot active instance, and cannot be disabled, leading to a sharp increase of CPU usage rate. For this reason, you are advised to assess the enabling with great care.
- Key ID: Key ID arising from enabling of KMS must not be prohibited or deleted after TDE is enabled.
- Fees: TDE, free of charge in use, KMS, charged in use. See KMS Fees Instructions.
Operation guide
Enable the KMS
If KMS is enabled, skip this step to go to the next step.
If KMS is not enabled, get through the operations below:
Step1: Enable the KMS
KMS is not enabled:
Step2: Create a key
View the file: Create Key for details.
Notes:
Notes: See the link below for other operations on KMS key.
Enable the TDE
On the "Instance List" page, select an instance of MySQL 5.7 Dual-computer Version and click the name to enter the instance details page. Click "Security" to enter the "Security Management" page. Click TDE for enabling service.
Before enabling, the system checks if KMS has been enabled for your account. After enabling KMS, you can enable TDE. As detailed below:
Step1: enter "Enable TED" page
Step2: Click "Go to Enable" button, select one key ID, and click "OK" button.
Step3: After clicking "OK" button, you may see "TDE is being enabled for current instance".
