Enable storage encryption for a new table

This topic describes how to create an encrypted tablespace to enable storage encryption for a new table.

Background information

OceanBase Database provides data encryption methods that are compatible with Oracle Database and encrypts data in tablespaces. OceanBase Database does not support multiple files, and the concept of tablespaces is designed for compatibility. A tablespace is a collection of tables.

The following sections describe how to enable data storage encryption for the t1 table in the encrypted sectest_ts1 tablespace.

Enable storage encryption in internal mode

In internal mode, the encryption information of the master key is managed in internal tables, and clogs are not encrypted to avoid circular dependency during log replay.

1. Log on to an Oracle tenant of the database as the administrator.

2. Execute the following statement to enable storage encryption in internal mode:

   The tde_method parameter specifies the encryption method for a transparent tablespace. The default value is none, which indicates that encryption is disabled for the transparent tablespace.

   For more information about the tde_method parameter, see tde_method.

   Notice

   After the tde_method parameter is set, it cannot be modified.

   obclient> ALTER SYSTEM SET tde_method='internal';
   

3. Execute the following statement to check whether the value of the tde_method parameter is internal on all OBServer nodes of the tenant:

   obclient> SHOW PARAMETERS LIKE 'tde_method';
   

4. Create a Keystore.

   The SQL syntax is as follows:

   obclient>ADMINISTER KEY MANAGEMENT CREATE KEYSTORE keystore_name IDENTIFIED BY password;
   

   For example:

   obclient> ADMINISTER KEY MANAGEMENT CREATE KEYSTORE sectest1 IDENTIFIED BY ******;
   

5. Enable the Keystore.

   The SQL syntax is as follows:

   obclient> ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY password;
   

   You must replace password with the key specified for the Keystore in the previous step.

   For example:

   obclient> ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY ******;
   

6. Execute the following statement to generate the master key:

   obclient> ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY password;
   

   You must replace password with the key specified for the Keystore in the previous step.

   For example:

   obclient> ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY ******;
   

7. Create a tablespace and specify the encryption algorithm.

   You can specify any one of the following encryption algorithms: aes-256, aes-128, aes-192, and sm4-cbc.

   For example:

   obclient> CREATE TABLESPACE sectest_ts1 ENCRYPTION USING 'aes-256';
   

Check whether encryption is enabled as expected

To check whether encryption is enabled as expected, perform the following steps:

1. Log on to the Oracle tenant as a regular user.

2. Create a table and specify the tablespace.

   obclient> CREATE TABLE t1 (id1 int, id2 int) TABLESPACE sectest_ts1;
   

   After the table is created, all transactions related to the table are encrypted.

3. Check whether table t1 in the tablespace is marked as encrypted.

   Execute the following statement to check whether the value of the ENCRYPTIONALG column is aes-256 or as specified:

   obclient> SELECT TABLE_NAME,ENCRYPTIONALG FROM v$encrypted_tables;
   +------------+---------------+
   | TABLE_NAME | ENCRYPTIONALG |
   +------------+---------------+
   | T1         | aes-256       |
   +------------+---------------+
   1 row in set
   

   If the value of the ENCRYPTIONALG column is aes-256 or as specified, the table is encrypted.

   For more information about fields in the V$ENCRYPTED_TABLES view, see V$ENCRYPTED_TABLES.