Lindorm supports the transparent data encryption (TDE) feature. After the TDE feature is enabled, Lindorm encrypts data based on a key hierarchy. The data in the file system of Lindorm is stored as ciphertext. To improve data security, you can enable the TDE feature to encrypt data in your instance by using the Lindorm console. This topic describes how to enable the TDE feature.
Prerequisites
- The Deployment Method parameter is set to Single-zone when you create the instance. For more information, see Create an instance.
- Key Management Service (KMS) is enabled. For more information, see Purchase a dedicated KMS instance.
- Lindorm is authorized to access KMS. You must grant Lindorm the permissions that are required to access KMS by using a service-linked role. For more information, see Service-linked roles of Lindorm.
Background information
The TDE feature of Lindorm supports Advanced Encryption Standard (AES) and SMS4. KMS generates and manages keys that are used by the TDE feature. KMS uses a customer master key (CMK) to encrypt a data key and then uses the data key to encrypt data. This process is known as envelope encryption. If you want to decrypt data on which envelope encryption is performed, obtain the ciphertext of the data key, use your CMK to decrypt the ciphertext to obtain the plaintext of the data key, and then use the plaintext to decrypt the data. You can call an API operation to create a KMS CMK. If you provide the password of your CMK, you can encrypt the CMK to ensure the security of your CMK.
Precautions
- When you enable the TDE feature, your instance is restarted and a transient disconnection occurs. We recommend that you enable the TDE feature during off-peak hours and make sure that your application can reconnect to the instance after a transient connection occurs.
- The restart and transient disconnection of the instance do not result in data loss in your instance.
- The TDE feature cannot be disabled after the feature is enabled.
Procedure
- Log on to the Lindorm console.
- Click the ID of the instance that you want to manage. Then, the Instances page appears.
- In the left-side navigation pane, choose Transparent Data Encryption (TDE) tab appears. . Then, the
- Turn on Current Status.
- In the Enable TDE dialog box, select Use Automatically Generated Key or Use Custom Key.
- If you select Use Automatically Generated Key, click OK. Then, the TDE feature is enabled.
- If you select Use Custom Key, select a key that is generated by using KMS from the Set Key drop-down list and click OK. Then, the TDE feature is enabled. Note If you want to use a custom key, click Manage Key. In the KMS console, create a key and import your key material. For more information, see Create a CMK.
What to do next
- If you want to create a table and encrypt data in the table, add
WITH (FILEVERSION = 5, ENCRYPTION = AES)
to your CREATE TABLE statement.CREATE table testsql (p1 varchar, p2 varchar, p3 bigint, c1 varchar, c2 double, constraint primary key (p1, p2, p3 desc)) WITH (FILEVERSION = 5, ENCRYPTION = AES);
- If you want to encrypt data in an existing table, use
ALTER
in combination withWITH (FILEVERSION = 5, ENCRYPTION = SMS4)
.ALTER table testsql WITH (FILEVERSION = 5, ENCRYPTION = SMS4) ;
FILEVERSION
specifies the file version. You can use the TDE feature only if you set FILEVERSION to 5.ENCRYPTION
specifies the encryption algorithm. Valid values: AES and SMS4.- You can set ENCRYPTION to NONE to decrypt data.
- You can change your encryption algorithm. For example, you can change your encryption algorithm from AES to SMS4. We recommend that you do not change your encryption algorithm from AES to SMS4. If you want to change your encryption algorithm from AES to SMS4, perform the following steps:
- Set ENCRYPTION to NONE to decrypt data in your table.
- Run the
major_compact
command on the table and wait until the task is complete. - Set ENCRYPTION to SMS4.