Add or delete an encrypted zone

OceanBase Database supports zone-level log transfer and storage encryption. When you add a zone to a cluster, you can encrypt the zone. The system encrypts the clogs when you send logs to the encrypted zone or when the zone persists the clogs.

Note

To use an encrypted voting replica, you need to add an encrypted zone. For more information about replicas, see Replica overview.

Limitations

Limitations on the use of encrypted zones and encrypted voting replicas are as follows:

• You can deploy only encrypted voting replicas in an encrypted zone. Other types of replicas, such as full-featured replicas, read-only replicas, and standard log-only replicas cannot be deployed in encrypted zones.

• You can deploy encrypted voting replicas only in an encrypted zone but not in a read/write zone.

Add an encrypted zone

This section describes how to add an encrypted zone to a cluster.

Assume that the cluster already has z1 and z2 and you want to add z3 to the cluster. z1 and z2 are regular read/write zones, and z3 is an encrypted zone. z3 contains only encrypted transaction log data.

Procedure:

1. Log on to the sys tenant as the root user.

2. Execute the following statements in sequence to set the encryption mode and generate a master key.

   obclient> ALTER SYSTEM set tde_method = 'internal';
   
   obclient>ALTER INSTANCE ROTATE INNODB MASTER KEY;
   

3. Execute the following statement to check whether the master key generated in the previous step has taken effect.

   obclient> SELECT min(max_active_version) FROM oceanbase.__all_virtual_master_key_version_info WHERE tenant_id = 1;
   

   When the value of min(max_active_version) in the query results is greater than 0, the master key has taken effect. Otherwise, the master key has not taken effect.

   The virtual table __all_virtual_master_key_version_info records the version information of the master key on each OBServer node. Table structure of this table is as follows:

   table_name    = '__all_virtual_master_key_version_info',
   
   rowkey_columns = [
     ('svr_ip', 'varchar:MAX_IP_ADDR_LENGTH'),
     ('svr_port', 'int'),
     ('tenant_id', 'int'),
   ],
   normal_columns = [
     ('max_active_version', 'int'),
     ('max_stored_version', 'int'),
     ('expect_version', 'int'),
   ]
   

   The master key information for each tenant on each OBServer node occupies one row in the virtual table.

   • expect_version specifies the maximum version of the master key generated for the tenant in the cluster.

   • max_stored_version specifies the maximum version of the master key for the tenant during local persistence on the corresponding OBServer node.

   • max_active_version specifies the maximum version of the master key that the tenant can use during encryption on the corresponding OBServer node. If the value of max_active_version is 0, no active master key is available.

4. Execute the following statement to add an encrypted zone.

   Notice

   Before you add an encrypted zone, make sure that the sys tenant has an active master key. Otherwise, the execution of the following statement will fail.

   obclient> ALTER SYSTEM ADD Zone 'z3' zone_type = 'encryption';
   

5. Execute the following statements to modify the locality of the sys tenant. For more information about the locality, see Locality overview.

   The cluster originally has two replicas. After the encrypted zone is added to the cluster, the number of replicas of the sys tenant must be increased to 3. In addition, only encrypted voting replicas can be deployed in z3.

   obclient> CREATE RESOURCE POOL sys_pool2 unit_num = 1, zone_list=('z3'), unit='sys_unit_config';
   
   obclient> ALTER TENANT sys resource_pool_list = ('sys_pool','sys_pool2');
   
   obclient> ALTER TENANT sys LOCALITY = 'F@z1,F@z2,E@z3';
   

Manually rotate a master key

Master key rotation generates a new key. The administrator can manually rotate the master key for an encrypted zone if the user wants to replace the master key.

1. Log on to the sys tenant as the root user.

2. Execute the following statement to rotate the master key for an encrypted zone.

   obclient> ALTER INSTANCE ROTATE INNODB MASTER KEY;
   

   Note

   When you rotate a master key, an OBServer failure in an encrypted zone does not affect the validation of the master key. However, an OBServer failure in a read/write zone may affect the validation of the master key. As a result, the new master key generated through rotation may not take effect immediately.

Delete an encrypted zone

You can delete an encrypted zone in the same way that you delete a read/write zone. Before you delete an encrypted zone, make sure that no OBServer node is deployed in the zone. Otherwise, the deletion will fail.

1. Log on to the sys tenant as the root user.

2. Execute the following statement to delete an encrypted zone.

   For example,

   obclient> ALTER SYSTEM DELETE ZONE 'z3';
   

3. Execute the following statement to check whether the zone is deleted.

   For example,

   obclient> SELECT * FROM __all_zone;
   +----------------------------+----------------------------+-------+--------------------------+------------------+--------------+
   | gmt_create                 | gmt_modified               | zone  | name                     | value            | info         |
   +----------------------------+----------------------------+-------+--------------------------+------------------+--------------+
   | 2021-11-22 10:33:10.445956 | 2021-11-22 10:33:10.445956 |       | cluster                  |                0 | test321_0930 |
   | 2021-11-22 10:33:10.446963 | 2021-11-23 15:40:01.140640 |       | config_version           | 1637653201137839 |              |
   | 2021-11-22 10:33:10.445909 | 2021-11-24 02:00:01.633458 |       | frozen_time              | 1637690410847191 |              |
   | 2021-11-22 10:33:10.445909 | 2021-11-24 02:00:01.633458 |       | frozen_version           |                4 |              |
   | 2021-11-22 10:33:10.446963 | 2021-11-22 10:33:10.446963 |       | gc_schema_version        |                0 |              |
   | 2021-11-22 10:33:10.446963 | 2021-11-24 02:00:20.858275 |       | global_broadcast_version |                4 |              |
   | 2021-11-22 10:33:10.446963 | 2021-11-22 10:33:10.446963 |       | is_merge_error           |                0 |              |
   | 2021-11-22 10:33:10.446963 | 2021-11-24 02:01:28.922658 |       | last_merged_version      |                4 |              |
   | 2021-11-22 10:33:10.446963 | 2021-11-24 02:01:28.924652 |       | lease_info_version       | 1637690488921414 |              |
   | 2021-11-22 10:33:10.446963 | 2021-11-24 02:01:28.924652 |       | merge_status             |                0 | IDLE         |
   | 2021-11-22 10:33:10.446963 | 2021-11-22 10:33:10.446963 |       | privilege_version        |                0 |              |
   | 2021-11-22 10:33:10.446963 | 2021-11-22 10:33:10.446963 |       | proposal_frozen_version  |                1 |              |
   | 2021-11-22 10:33:10.446963 | 2021-11-22 10:33:10.446963 |       | snapshot_gc_ts           |                0 |              |
   | 2021-11-22 10:33:10.448018 | 2021-11-22 10:33:10.448018 |       | storage_format_version   |                4 |              |
   | 2021-11-22 10:33:10.446963 | 2021-11-22 10:33:10.446963 |       | time_zone_info_version   |                0 |              |
   | 2021-11-22 10:33:10.445909 | 2021-11-22 10:33:10.445909 |       | try_frozen_version       |                1 |              |
   | 2021-11-22 10:33:10.446963 | 2021-11-22 10:33:10.446963 |       | warm_up_start_time       |                0 |              |
   | 2021-11-22 10:33:10.448018 | 2021-11-24 02:01:18.776935 | zone1 | all_merged_version       |                4 |              |
   | 2021-11-22 10:33:10.448018 | 2021-11-24 02:00:21.553240 | zone1 | broadcast_version        |                4 |              |
   | 2021-11-22 10:33:10.449072 | 2021-11-22 10:33:21.596525 | zone1 | idc                      |                0 | HZ0          |
   | 2021-11-22 10:33:10.448018 | 2021-11-24 02:01:18.776935 | zone1 | is_merge_timeout         |                0 |              |
   | 2021-11-22 10:33:10.448018 | 2021-11-24 02:01:18.775879 | zone1 | is_merging               |                0 |              |
   | 2021-11-22 10:33:10.448018 | 2021-11-24 02:01:18.775879 | zone1 | last_merged_time         | 1637690478775672 |              |
   | 2021-11-22 10:33:10.448018 | 2021-11-24 02:01:18.775879 | zone1 | last_merged_version      |                4 |              |
   | 2021-11-22 10:33:10.448018 | 2021-11-24 02:00:21.553240 | zone1 | merge_start_time         | 1637690421552453 |              |
   | 2021-11-22 10:33:10.448018 | 2021-11-24 02:01:18.776935 | zone1 | merge_status             |                0 | IDLE         |
   | 2021-11-22 10:33:10.449072 | 2021-11-22 10:33:10.449072 | zone1 | recovery_status          |                0 | NORMAL       |
   | 2021-11-22 10:33:10.449072 | 2021-11-22 10:33:10.449072 | zone1 | region                   |                0 | HANGZHOU     |
   | 2021-11-22 10:33:10.448018 | 2021-11-22 10:33:10.448018 | zone1 | status                   |                2 | ACTIVE       |
   | 2021-11-22 10:33:10.449072 | 2021-11-22 10:33:10.449072 | zone1 | storage_type             |                0 | LOCAL        |
   | 2021-11-22 10:33:10.448018 | 2021-11-22 10:33:10.448018 | zone1 | suspend_merging          |                0 |              |
   | 2021-11-22 10:33:10.449072 | 2021-11-22 10:33:10.449072 | zone1 | zone_type                |                0 | ReadWrite    |
   +----------------------------+----------------------------+-------+--------------------------+------------------+--------------+
   32 rows in set