Generate a tenant master key (MySQL-compatible mode)

This topic describes how to generate a tenant master key in a MySQL-compatible tenant. After the tenant master key is generated, you can use the transparent data encryption (TDE), column encryption, and function encryption features.

Prerequisites

• A MySQL-compatible tenant has been created.
• You are logged in as an administrator.

Generate a master key

The following describes how to generate a master key:

1. To enable TDE, you must generate a master key. The value of the tde_method parameter must not be none. To avoid a circular dependency during log replay, when tde_method is set to internal, TDE does not encrypt the clog.
2. Column encryption also requires a master key that is not none.
3. Function encryption also requires a master key that is not none.
4. We recommend that you set tde_method to obcloud for all three of the preceding features.

The following example shows how to use the obcloud method. If you want to use an external KMS service, set tde_method to obcloud and configure external_kms_info.

1. Log in to the MySQL-compatible tenant of the cluster as the administrator.

2. Execute the following statement to enable encryption using the obcloud method.

   The tde_method parameter specifies the storage method of the master key. By default, it is none, which means encryption is disabled.

   For more information about the tde_method parameter, see tde_method.

   Notice

   Once the tde_method parameter is set, it cannot be modified.

   ALTER SYSTEM SET tde_method='obcloud';
   

3. Execute the following statement to confirm that the value of the tde_method parameter is obcloud on all OBServer nodes of the tenant.

   SHOW PARAMETERS LIKE 'tde_method';
   

4. Execute the following statement to configure the key management information.

   For more information about the external_kms_info parameter, see external_kms_info.

   -- This example is for reference only. Please replace it with the actual key management information.
   ALTER SYSTEM SET external_kms_info='{
            "KMS_HOST": "kms.ob.com:443",
            "ROOT_CERT": "******",
            "PRIVATE_KEY": "******",
            "PRIVATE_KEY_PHRASE": "ob2025",
            "SCENE": "ANT",
            "KEY_NAME": "ob_cluster_key",
            "CALLER": "oceanbase_admin"}';
   

5. Execute the following statement to generate the master key.

   Note

   This statement can only be executed successfully if the value of the tde_method parameter is internal on all OBServer nodes of the tenant. The first execution will take about 20 seconds for the key to take effect.

   ALTER INSTANCE ROTATE INNODB MASTER KEY;
   

Rotate the tenant master key

To enhance security, it's recommended to rotate the tenant master key periodically. After rotation, new data will be encrypted using the new key, while existing data can still be decrypted with the old key.

ALTER INSTANCE ROTATE INNODB MASTER KEY;

What to do next

After generating the tenant master key, you can:

• Enable TDE. For more information, see Set up transparent encryption for newly created tables
• Use column encryption. For more information, see Create column encryption rules
• Use function encryption. For more information, see ENHANCED_AES_ENCRYPT and ENHANCED_AES_DECRYPT

References

• Overview of tenant master keys
• Generate a tenant master key (Oracle-compatible mode)