Release History
Requirements

Introduction

Quick onboard

Deployment

Data Modeling

Connecting

Write data

Migration

Query

Operations and Maintenance

Performance Tuning

Troubleshooting

Reference Guide

SQL Reference

FAQ

Transparent Data Encryption (TDE)

Notes!
Starting from version v6.5.0, YMatrix databases support transparent data encryption. Users can choose to enable or disable this feature when deploying a database cluster. Once the database cluster is deployed, the status of its transparent data encryption cannot be changed.

Transparent Data Encryption (TDE) is a technology designed to protect static database data—that is, data stored on disk—from unauthorized access. By automatically encrypting and decrypting data files at the database layer, it enables applications and users to transparently read and write encrypted data without requiring any modifications during normal database operations.

Encryption Method

Transparent Data Encryption uses a master key for encryption and decryption. YMatrix offers two deployment options: external KMS management of the master key via the KMIP protocol, or local file management of the master key.

Currently, Transparent Data Encryption only supports data files for HEAP tables and MARS3 tables.

Using TDE

Pre-Deployment Configuration

To enable Transparent Data Encryption when deploying a database, perform the following steps:

  1. Select an appropriate master key management method before deployment.
  2. Prepare the master_key.toml and master_pub.pem files on all machines in the cluster where the database will be deployed. Specifically: master_key.toml configures the master key usage method. master_pub.pem stores the PEM-encoded public key of the master key.

Database Deployment

After preparing the above files, deploy the database cluster using MatrixUI or the command line. During deployment, the program automatically detects these configuration files and enables TDE for the database.

Starting the Database

When using a database with transparent data encryption enabled, any segment startup requires the private key of the master key.

Status Checking

A new read-only GUC mx_crypto_suite has been added to check the status of transparent data encryption for the cluster.

  • none indicates transparent data encryption is not enabled for this cluster
  • general indicates transparent data encryption is enabled for this cluster
    GUC              : mx_crypto_suite
Coordinator value: general
Segment     value: general