All Products
Search

This Product

    Tablestore:Create an encrypted table

    Document Center

    Tablestore:Create an encrypted table

    Last Updated:Dec 06, 2024

    This topic uses parameters and sample code to describe how to use Tablestore SDK for Go to create an encrypted data table to store data in an encrypted manner. Tablestore supports two encryption methods: encryption based on the default service customer master key (CMK) of Key Management Service (KMS) and encryption based on Bring Your Own Key (BYOK).

    Prerequisites

    API operation and parameters

    For more information about the API operation and parameters, see Create a data table.

    Encryption based on the default service CMK of KMS

    The first time you create a data table that is encrypted based on the default service CMK of KMS, Tablestore automatically creates the default service CMK of KMS, uses the CMK to encrypt data, and automatically decrypts data when the data is read. To use this feature, you do not need to purchase a KMS instance.

    The following sample code provides an example on how to encrypt data based on the default service CMK of KMS when you create a data table. 

    func CreateTable(client *tablestore.TableStoreClient, tableName string) {
    createTableRequest := new(tablestore.CreateTableRequest)

    tableMeta := new(tablestore.TableMeta)
    // Specify the name of the data table. 
    tableMeta.TableName = tableName
    // Add a primary key column to the data table. In this example, a primary key column whose name is pk and type is String is added. 
    tableMeta.AddPrimaryKeyColumn("pk", tablestore.PrimaryKeyType_STRING)

    tableOption := new(tablestore.TableOption)
    // Specify the time to live (TTL) of data in the data table. A value of -1 specifies that data in the data table never expires. 
    tableOption.TimeToAlive = -1
    // Specify the maximum number of versions that can be retained for data in each attribute column of the data table. In this example, only the latest version of data can be retained for each attribute column. 
    tableOption.MaxVersion = 1

    // Specify the reserved read throughput and reserved write throughput. The reserved read throughput and reserved write throughput must be set to 0 for data tables in capacity instances and can be set to non-zero values for data tables in high-performance instances. 
    reservedThroughput := new(tablestore.ReservedThroughput)
    reservedThroughput.Readcap = 0
    reservedThroughput.Writecap = 0

    // Enable the server-side encryption feature and use the default service CMK of KMS. 
    sseSpec := new(tablestore.SSESpecification)
    sseSpec.SetEnable(true)
    sseSpec.SetKeyType(tablestore.SSE_KMS_SERVICE)

    createTableRequest.TableMeta = tableMeta
    createTableRequest.TableOption = tableOption
    createTableRequest.ReservedThroughput = reservedThroughput
    createTableRequest.SSESpecification = sseSpec
    _, err := client.CreateTable(createTableRequest)
    if err != nil {
        fmt.Println("Failed to create table with error:", err)
    } else {
	fmt.Println("Create table finished")
    }
}

    Encryption based on BYOK

    1. Activate KMS. For more information, see Purchase and enable a KMS instance.

    2. Create a software-protected key in the KMS console. For more information, see Getting started with keys.

    3. Create a RAM role and grant permissions to the RAM role.

      1. Create a RAM role. For more information, see Create a RAM role for a trusted Alibaba Cloud account.

        Specify the name of the RAM role. In this example, the RAM role name AliyunOTSAccessingKMS is used.

      2. Create a custom policy that contains the KMS encryption and decryption permissions. For more information, see Create a custom policy on the JSON tab.

        Specify the name of the custom policy. In this example, the policy name otskmspolicytest is used. Sample policy:

        {
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt",
                "kms:GenerateDataKey"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

      3. Attach the otskmspolicytest policy to the AliyunOTSAccessingKMS RAM role to grant the RAM role the permissions to use KMS to encrypt and decrypt data. For more information, see Grant permissions to a RAM role.

        After you complete the authorization, record the ARN of the role. ARN indicates the ID of the role to be assumed. The following figure shows the ARN.

        image

      4. Modify the trust policy of the RAM role. For more information, see Edit the trust policy of a RAM role.

        Sample trust policy:

        {
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "ots.aliyuncs.com"
        ]
      }
    }
  ],
  "Version": "1"
}

    4. Create a data table and configure encryption based on BYOK for the data table. 

      func CreateTable(client *tablestore.TableStoreClient, tableName string) {
    createTableRequest := new(tablestore.CreateTableRequest)

    tableMeta := new(tablestore.TableMeta)
    // Specify the name of the data table. 
    tableMeta.TableName = tableName
    // Add a primary key column to the data table. In this example, a primary key column whose name is pk and type is String is added. 
    tableMeta.AddPrimaryKeyColumn("pk", tablestore.PrimaryKeyType_STRING)

    tableOption := new(tablestore.TableOption)
    // Specify the TTL of data in the data table. A value of -1 specifies that data in the data table never expires. 
    tableOption.TimeToAlive = -1
    // Specify the maximum number of versions that can be retained for data in each attribute column of the data table. In this example, only the latest version of data can be retained for each attribute column. 
    tableOption.MaxVersion = 1

    // Specify the reserved read throughput and reserved write throughput. The reserved read throughput and reserved write throughput must be set to 0 for data tables in capacity instances and can be set to non-zero values for data tables in high-performance instances. 
    reservedThroughput := new(tablestore.ReservedThroughput)
    reservedThroughput.Readcap = 0
    reservedThroughput.Writecap = 0

    // Enable the server-side encryption feature and use the CMK that you created in the KMS console for data encryption. 
    sseSpec := new(tablestore.SSESpecification)
    sseSpec.SetEnable(true)
    sseSpec.SetKeyType(tablestore.SSE_BYOK)
    // Set the keyId parameter to the ID of the software-protected key that you created in the KMS console in Step 2. 
    sseSpec.SetKeyId("key-hzz65****************")
    // Set the roleArn parameter to the ARN of the RAM role you recorded in Step 3. 
    sseSpec.SetRoleArn("acs:ram::****************:role/aliyunotsaccessingkms")

    createTableRequest.TableMeta = tableMeta
    createTableRequest.TableOption = tableOption
    createTableRequest.ReservedThroughput = reservedThroughput
    createTableRequest.SSESpecification = sseSpec
    _, err := client.CreateTable(createTableRequest)
    if err != nil {
        fmt.Println("Failed to create table with error:", err)
    } else {
	fmt.Println("Create table finished")
    }
}

    References

    • KMS is an end-to-end service platform for key management, data encryption, and secret management. KMS provides simple, reliable, secure, and standard-compliant capabilities to encrypt and protect data and manage secrets. For more information, see What is KMS?

    • After you create an encrypted table, you can call the DescribeTable operation to query the encryption configurations of the data table.