Quick onboard
Deployment
Data Modeling
Connecting
Migration
Query
Operations and Maintenance
Common Maintenance
Partition
Backup and Restore
Expansion
Mirroring
Resource Management
Security
Monitoring
Performance Tuning
Troubleshooting
Reference Guide
Tool guide
Data type
Storage Engine
Executor
Stream
DR (Disaster Recovery)
Configuration
Index
Extension
SQL Reference
Note!
YMatrix Database supports Transparent Data Encryption (TDE) starting from version v6.5.0. Users can choose to enable or disable TDE when deploying the database cluster. Once the cluster is deployed, the TDE status cannot be changed.
Transparent Data Encryption (TDE) is a technology that protects static data (i.e., data stored on disk) in a database from unauthorized access. It automatically encrypts and decrypts data files at the database layer, allowing applications and users to read and write encrypted data transparently without any changes during normal operation.
TDE uses a master key for encryption and decryption. YMatrix provides two deployment options for managing the master key: an external Key Management System (KMS) using the KMIP protocol, or local file-based master key management.
Currently, TDE only supports data files of HEAP tables and MARS3 tables.
To enable TDE when deploying the database, perform the following steps:
master_key.toml and master_pub.pem files on all machines in the cluster where the database will be deployed. The master_key.toml file configures the method used to access the master key; the master_pub.pem file stores the PEM-encoded public key of the master key.After preparing the above files, deploy the database cluster using MatrixUI or command-line tools. During deployment, the system automatically detects the configuration of these files and enables TDE if applicable.
When using a database with TDE enabled, each segment must provide the private key of the master key during startup.
A new read-only GUC parameter, mx_crypto_suite, is added to view the TDE status of the cluster:
none: TDE is disabled on the cluster.general: TDE is enabled on the cluster.GUC : mx_crypto_suite
Coordinator value: general
Segment value: general