Data storage encryption refers to the process of encrypting data and clog files stored on disks in a transparent manner, known as transparent data encryption (TDE). With TDE, data is automatically encrypted before being written to a storage device and seamlessly decrypted during reading. This transparent process safeguards sensitive data from unauthorized access by hackers and malicious users, providing enhanced security for files, database backups, and disks.
How data storage encryption works
The user data and backups in OceanBase Database are stored as binary data on disks or other permanent storage media. Unauthorized users may obtain the media, and read and decode the stored data, which results in data leakage.
The data stored in OceanBase Database is compressed. While compression provides a certain level of confidentiality, the data is still at risk of being decoded. To protect the security of data stored in memory and disks, OceanBase Database supports the AES and SM4 encryption algorithms. AES is a popular algorithm across the world, and SM4 is an algorithm developed by China.
OceanBase Database uses Keystore to support two-level key management. To ensure data security, OceanBase Database does not allow users to use Keystore to view the master key or encryption key or to specify the master key or encryption key. The master key and encryption key are generated by the system and are not stored in plaintext on the disk. This greatly improves the security of the system.
Keystore is the module that manages the master key and provides key management services. Features of Keystore include:
Generation of the master key: Keystore generates the master key based on the encryption algorithm. This provides a higher security level as users cannot specify the master key.
Storage of the information related to the master key: Keystore can obtain the master key based on relevant information. Keystore keeps multiple copies of information, ensures information consistency, and provides fault handling.
Master key management and multiversion concurrency control (MVCC): Keystore is used to modify the master key and supports MVCC. MVCC allows new master keys to be gradually applied.
Obtaining high availability services related to the master key.
Processing of Keystore commands.
Storage encryption modes
In OceanBase Database, only private clouds support the encryption of transparent tablespaces in internal mode. In internal mode, the encryption information of the master key is managed in internal tables, and clogs are not encrypted to avoid circular dependency during log replay.
References
For more information about storage encryption, see Data storage encryption.