Applicability
This topic applies only to OCP Enterprise Edition. OCP Community Edition does not support this feature.
OceanBase Database supports Transparent Data Encryption (TDE) at the data storage layer.
TDE encrypts sensitive data stored on disks. Data is automatically encrypted before it is written to storage devices and automatically decrypted when it is read, without affecting users. Users who are authenticated can access data without restriction. If a storage device is stolen, TDE ensures that sensitive data stored on the device cannot be accessed by unauthorized users. Even if the storage device is lost, data will not be lost, ensuring maximum user data security.
This topic describes the procedure for managing TDE.
Enable TDE transparent encryption
You can follow the steps in this topic to enable TDE transparent encryption for a cluster.
Notice
After TDE transparent encryption is enabled, it cannot be disabled and will cause a drop in database performance. If you need to decrypt data later, you must move the tables out of the encrypted tablespace and perform a full major compaction.
Prerequisites
- You are logged in to the OCP console as a user with the ADMIN or ORG_ADMIN role.
- The version of the OceanBase cluster is V4.x or later.
- The tenant status is Running.
Procedure
Log in to the OCP console.
In the left-side navigation pane, click Cluster. The Clusters page automatically appears.
On the Clusters page, find the target cluster and click its name to go to the Overview page.
In the left-side navigation pane of the page that appears, click Security Configuration.
Switch to the Transparent Data Encryption tab.
Select the tenant for which you want to enable encryption and click Enable Encryption in the Actions column.
In the dialog box that appears, click Enable.
Create a tablespace
OceanBase Database supports transparent data encryption (TDE) at the tablespace level to ensure data security.
Prerequisites
- You are logged in to OCP as the ADMIN or ORG_ADMIN user.
- The version of the OceanBase cluster is V4.x or later.
- TDE has been enabled.
Procedure
Log in to the OCP console.
In the left-side navigation pane, click Cluster. The Clusters page automatically appears.
On the Clusters page, find the target cluster and click its name to go to the Overview page.
In the left-side navigation pane of the page that appears, click Security Configuration.
Switch to the Transparent Data Encryption tab.
Select a tenant and click Create Tablespace in the Actions column.
In the dialog box that appears, specify or select the following information.
Parameter Description Encrypted Tablespace Name You can create multiple encrypted tablespaces in the same tenant. Each tablespace name must be unique. The name must start with a letter and can contain letters, numbers, and underscores. The name must be 2 to 30 characters in length. Encryption Algorithm After you specify an encryption algorithm, you cannot modify it or convert it to another algorithm. Different OceanBase Database versions support different encryption algorithms. Please refer to the official OceanBase documentation for the list of supported encryption algorithms. Specify the encrypted tablespace name and select an encryption algorithm, and click Create.
After TDE is enabled and the encrypted tablespace is created, you can encrypt data by performing DDL operations to create an encrypted table. The DDL operation to create an encrypted table is as follows:
CREATE TABLE t1 (id int,id2 int) TABLESPACE sectest_ts1;Notice
After you add a history table to an encrypted tablespace, you must perform a full compaction to persist the data encryption. Otherwise, the data of the history table cannot be encrypted.
Click the name of the encrypted tablespace to view details about the encrypted table in the right-side panel, including the tenant to which the table belongs, the table name, the encryption status, and the encryption progress. The encryption progress indicates the percentage of data blocks that have been encrypted in the current table.
