Purpose
You can use this statement to create a tablespace logical object. The tablespace attributes can be encrypted.
Syntax
CREATE TABLESPACE tablespace_name [ENCRYPTION [=] 'tablespace_encryption_option'];
tablespace_encryption_option:
N
| Y
| AES-256
| AES-256-GCM
| AES-128
| AES-128-GCM
| AES-192
| AES-192-GCM
| SM4-CBC
| SM4-GCM
Parameters
| Parameter | Description |
|---|---|
| tablespace_name | The name of the tablespace to be created. |
| ENCRYPTION | Optional. The keyword used for specifying the encryption algorithm employed by the tablespace. If the encryption algorithm is not specified through the ENCRYPTION keyword, a non-encrypted tablespace is created by default. For a detailed introduction to the encryption algorithms, see tablespace_encryption_option. |
tablespace_encryption_option
N: No encryption.Y: IfYis specified,AES-256is used by default.AES-256: Uses a 256-bit key for encryption and decryption.AES-256-GCM: Uses Galois/Counter Mode (GCM) with a 256-bit key.AES-128: Uses a 128-bit key for encryption and decryption.AES-128-GCM: Uses GCM with a 128-bit key.AES-192: Uses a 192-bit key for encryption and decryption.AES-192-GCM: Uses GCM with a 192-bit key.SM4-CBC: Uses the SM4 algorithm of the Cipher Block Chaining (CBC) mode, where each block of data undergoes XOR operations with the output of the previous block’s encryption before it is encrypted.SM4-GCM: Uses the SM4 algorithm of the GCM mode, which provides both encryption and authentication functionalities.
Note
- Advanced Encryption Standard (AES) is a symmetric encryption algorithm, meaning the same key is used for both data encryption and decryption. The AES algorithm is block-based, typically encrypting data in 128-bit blocks.
- AES-GCM is an operational mode employed for block encryption algorithms, such as AES, providing both encryption and data authentication (also known as message authentication code).
- The block size of the SM4 algorithm is 128 bits, and the key length is also 128 bits.
Examples
Create an unencrypted tablespace object.
CREATE TABLESPACE tablespace001;Create a tablespace object with transparent data encryption (TDE).
Set the encryption method to built-in transparent encryption.
ALTER SYSTEM SET tde_method = 'internal';Display the current configuration of the encryption method.
SHOW PARAMETERS LIKE 'tde_method';Generate a new master encryption key.
ALTER INSTANCE ROTATE INNODB MASTER KEY;Notice
Although this command can be executed, if the disk space is full, a new master encryption key will not be generated.
Create an encrypted tablespace named
tablespace2using theSM4-GCMencryption algorithm.CREATE TABLESPACE tablespace002 ENCRYPTION = 'SM4-GCM';