Enable TDE for new tables

This topic describes how to create an encrypted tablespace to enable TDE for new tables.

OceanBase Database encrypts data in tablespaces. OceanBase Database does not support multiple files, and the concept of tablespaces is designed for compatibility. A tablespace is a collection of tables.

This topic describes how to create a table named t1 in an encrypted tablespace named sectest_ts1 and enable TDE for the table.

Limitations

• You cannot enable encryption for the sys tenant.
• After you enable TDE for a tenant, the tenant cannot use other encryption methods. To use another encryption method, recreate a tenant.

Enable storage encryption in internal mode

In internal mode, the encryption information of the master key is managed in internal tables, and clogs are not encrypted to avoid circular dependency during log replay.

1. Log in to a MySQL tenant of a cluster as an administrator.

2. Execute the following statement to enable TDE in internal mode.

   The tde_method parameter specifies the encryption method for a transparent tablespace. The default value is none, which indicates that encryption is disabled for the transparent tablespace.

   For more information about the tde_method parameter, see tde_method.

   Notice

   After the tde_method parameter is set, it cannot be modified.

   obclient> ALTER SYSTEM SET tde_method='internal';
   

3. Execute the following statement to check whether the value of the tde_method parameter is internal on all OBServer nodes of the tenant:

   obclient> SHOW PARAMETERS LIKE 'tde_method';
   

4. If yes, execute the following statement to generate the master key:

   Note

   The statement takes effect only when the value of the tde_method parameter is internal on all OBServer nodes of the tenant.

   obclient> ALTER INSTANCE ROTATE INNODB MASTER KEY;
   

5. Create a tablespace and specify the encryption algorithm.

   You can specify one of the following encryption algorithms: aes-256, aes-128, aes-192, sm4-cbc, aes-128-gcm, aes-192-gcm, aes-256-gcm, and sm4-gcm. If you set the parameter to 'y', the aes-256 algorithm is used.

   Here is an example:

   obclient> CREATE TABLESPACE sectest_ts1 encryption = 'y';
   

Create a table in an encrypted tablespace

1. Log in to a MySQL tenant of the database as a regular user.

2. Create a table and specify the tablespace.

   obclient> CREATE TABLE t1 (id1 int, id2 int) TABLESPACE sectest_ts1;
   

   After the table is created, all transactions related to the table are encrypted.

3. Check whether the table in the tablespace is marked as encrypted.

   Execute the following statement to check whether the value of the encryptionalg column is aes-256 or as specified:

   obclient> SELECT table_name,encryptionalg,encrypted FROM oceanbase.V$OB_ENCRYPTED_TABLES;
   +------------+---------------+-----------+
   | table_name | encryptionalg | encrypted |
   +------------+---------------+-----------+
   | t1         | aes-256       | YES       |
   +------------+---------------+-----------+
   1 row in set
   

   If the value of the encryptionalg column is aes-256 or as specified, and that of the encrypted column is YES, the table is encrypted.

   For more information about the fields in the V$OB_ENCRYPTED_TABLES view, see V$OB_ENCRYPTED_TABLES.

References

• Enable TDE for existing tables
• Decrypt a table