Transparent Data Encryption (TDE)|OceanBase Cloud| docs|Distributed Database

Transparent Data Encryption (TDE)

Last Updated：2025-08-13 09:58:47 Updated

This topic describes how to enable Transparent Data Encryption (TDE). After you enable TDE for a table, you cannot automatically disable TDE. For more information, see Disable TDE for a table.

Background information

Transparent Data Encryption (TDE) is an encryption technology that protects static data (data stored on disks) in a database.

OceanBase Cloud supports TDE with service keys generated and managed by OceanBase Cloud. It also supports using KMS keys from cloud vendors. For information about supported cloud vendors and how to use their keys, see Authorize cloud vendor accounts.

Concept introduction

Transparent Data Encryption (TDE) is an encryption solution at the database layer, focusing on protecting static data stored on disks. Its main features are:

Automatic encryption and decryption: When data is written to storage, encryption is automatically performed; when data is read, it is automatically decrypted, and this process is transparent to the application (no code changes required).
Wide encryption scope: Static data such as tablespace files, transaction log files, and database backups are protected.
Key management: Combines with Key Management Service (KMS) to securely store and manage encryption keys.
High efficiency: It is "invisible" to users and applications, with no operational interference.

OceanBase Cloud provides strong TDE support, leveraging its cloud-native capabilities to efficiently encrypt sensitive data while maintaining high availability and high performance of data services.

Overview

Transparent Data Encryption (TDE) uses symmetric encryption algorithms, such as the Advanced Encryption Standard (AES), to encrypt data stored in databases. The encryption and decryption processes are typically handled automatically by the database management system (DBMS), making them transparent to applications and users. Here are the core principles and process of TDE:

Master key
- The master key is the top-level key used to protect (encrypt) other keys.
- The master key is usually stored in a dedicated secure storage area, such as the operating system's encryption module, Hardware Security Module (HSM), or Key Management Service (KMS).
- The master key itself is protected by strong encryption measures.
Database encryption key (DEK)
- A database uses a specific encryption key (DEK) to encrypt the target data.
- The DEK is encrypted using the master key to ensure it can be securely stored or transmitted when needed.
Data encryption
- TDE uses the database encryption key (DEK) to encrypt data stored in the database.
- The encryption is typically applied to entire database files (such as table data files) or specific pages of a table.
Data decryption
- When accessing data, the database server automatically decrypts the content of the data file.
- The stored database encryption key (DEK) is used for decryption without user intervention.
Write encrypted data
- When data is written to disk, TDE encrypts the data blocks and stores them in an encrypted format.
- Even if the disk or database file is stolen, attackers cannot directly access the encrypted data.
Data in memory is still in plaintext
- When data is read from the disk into memory, it is automatically decrypted and loaded as plaintext.
- This means that TDE primarily protects static data, not data in memory or during transmission.

Limitations

Limitations on service keys
- Once TDE is enabled, it cannot be disabled.
- In an Oracle-compatible tenant, supported key types include AES-256, AES-128, AES-192, and SM4-CBC. For a MySQL tenant, the supported key type is only AES-256. Once a key is set, it cannot be modified or converted to another type.
After TDE is enabled, the performance of update scenarios is not affected, but there is a slight performance loss in other scenarios.

Procedure

After enabling TDE, you can create an encrypted tablespace on the current page, and then perform DDL operations to create an encrypted table, thereby encrypting the data. The DDL operation for creating an encrypted table is: CREATE TABLE t1 (id1 int,id2 int) TABLESPACE sectest_ts1;. If historical data tables are added to the encrypted tablespace, perform a full compaction after they are added to ensure data persistence.

Enable TDE

Log in to the OceanBase Cloud console.
In the left-side navigation pane, click Instances, then click your target instance to navigate to the Overview page of the instance.
In the left-side navigation pane, click Security.
On the Security page, click the Transparent Data Encryption (TDE) tab. On this tab, you can enable TDE following these steps:
1. Click Enable Encryption in the Action column. After TDE is enabled, you cannot disable it. This feature affects performance. Proceed with caution.
2. In the dialog box that appears, select to use either of the two keys:
  - Use OceanBase Cloud-Managed Key
  - Use Cloud Vendor-Managed Key. If you select this:
    - For instances on Huawei Cloud, AWS, or Alibaba Cloud (official channel), you must first bind your cloud vendor account. For detailed steps, see Authorize cloud vendor accounts.
    - For instances purchased via Alibaba Cloud Marketplace, you can bind your Alibaba Cloud account through redirection and then use the corresponding key.
3. Click Enable to complete the TDE encryption setup.

Create an encrypted tablespace

Click Create Tablespace in the Action column.
In the Create Tablespace dialog box, specify Encrypted Tablespace Name and Encryption Algorithm.
Click OK to create the tablespace.
After you create an encrypted tablespace, you can perform DDL operations such as creating tables and specifying the tables to the encrypted tablespace through Data Development or other CLI tools. Example:
- Oracle-compatible tenant
```
create table table_name (column1 int, column2 int) tablespace tablespace_name;
```
- MySQL-compatible tenant
```
create table table_name (column1 int, column2 int) tablespace tablespace_name;
```
Click the "+" sign next to a tenant to view all information about its encrypted tablespaces, including the tablespace name, encryption algorithm, and creation time.
Click the name of an encrypted tablespace to view the status and encryption progress of the table. The encryption progress indicates the percentage of data blocks in the current data table that have been encrypted.

Perform a full major compaction on historical data tables

The following example shows how to perform a full major compaction on a historical data table named t1.

Set the progressive_merge_num parameter to 1.

obclient> ALTER TABLE t1 set progressive_merge_num = 1;

Manually trigger a major compaction on the Overview page of the instance. For more information, see Initiate major compactions.
After the major compaction is completed, set the progressive_merge_num parameter back to 0.
```
obclient> ALTER TABLE t1 set progressive_merge_num = 0;
```