Enable storage encryption for a new table

This topic describes how to create an encrypted tablespace to enable storage encryption for a new table.

Limitations

• You cannot enable encryption for the sys tenant.

• After you enable storage encryption for a tenant, the tenant cannot use other encryption methods. To use another encryption method, recreate a tenant.

Background information

OceanBase Database encrypts data in tablespaces. Tablespaces are designed to make OceanBase Database compatible with Oracle Database. You can consider a tablespace as a collection of tables.

The following sections describe how to enable data storage encryption for the t1 table in the encrypted sectest_ts1 tablespace.

Enable storage encryption in internal mode

In internal mode, the encryption information of the master key is managed in internal tables, and clogs are not encrypted to avoid circular dependency during log replay.

1. Log on to a MySQL tenant as an administrator.

2. Execute the following statement to enable storage encryption in internal mode:

   The tde_method parameter specifies the encryption method for a transparent tablespace. The default value is none, which indicates that encryption is disabled for the transparent tablespace.

   For more information about the tde_method parameter, see tde_method.

   Notice

   After the tde_method parameter is set, it cannot be modified.

   obclient> ALTER SYSTEM SET tde_method='internal';
   

3. Execute the following statement to check whether the value of the tde_method parameter is internal on all OBServer nodes of the tenant:

   obclient> SHOW PARAMETERS LIKE 'tde_method';
   

4. If yes, execute the following statement to generate the master key:

   Note

   The statement takes effect only when the value of the tde_method parameter is internal on all OBServer nodes of the tenant.

   obclient> ALTER INSTANCE ROTATE INNODB MASTER KEY;
   

5. Create a tablespace and specify the encryption algorithm.

   You can specify one of the following encryption algorithms: aes-256, aes-128, aes-192, and sm4-cbc. If you set the sectest_ts1 encryption parameter to y, the aes-256 algorithm is used.

   For example:

   obclient> CREATE TABLESPACE sectest_ts1 encryption = 'y';
   

Check whether encryption is enabled as expected

To check whether encryption is enabled as expected, perform the following steps:

1. Log on to a MySQL tenant of the database as a regular user.

2. Log on to the database, create a table, and specify the tablespace.

   obclient> CREATE TABLE t1 (id1 int, id2 int) TABLESPACE sectest_ts1;
   

   After the table is created, all transactions related to the table are encrypted.

3. Check whether table t1 in the tablespace is marked as encrypted.

   Execute the following statement to check whether the value of the encryptionalg column is aes-256 or as specified:

   obclient> SELECT table_name,encryptionalg FROM oceanbase.v$encrypted_tables;
   +------------+---------------+
   | table_name | encryptionalg |
   +------------+---------------+
   | t1         | aes-256       |
   +------------+---------------+
   1 row in set
   

   If the value of the encryptionalg column is aes-256 or as specified, the table is encrypted.

   For more information about fields in the v$encrypted_tables view, see v$encrypted_tables.