MySQL 5.7 Secure Deployment Guide  /  Transparent Data Encryption (TDE)

Appendix A Transparent Data Encryption (TDE)

The InnoDB storage engine supports transparent data encryption for tables stored in file-per-table tablespaces. This feature provides data-at-rest encryption for physical tablespace data files.

This feature uses a two tier encryption key architecture, consisting of a master encryption key and tablespace keys. When a table is encrypted, a tablespace key is encrypted and stored in the tablespace header. When an application or authenticated user wants to access encrypted tablespace data, a master encryption key is used to decrypt the tablespace key.

The feature relies on a MySQL Keyring plugin for master encryption key management. MySQL provides these plugin choices:

  • keyring_file: A plugin that stores master encryption key data in a keyring file in the location specified by the keyring_file_data configuration option.

  • keyring_okv: A plugin that uses a KMIP-compatible product as a back end for keyring storage. Supported KMIP-compatible products include Oracle Key Vault (OKV) and Gemalto SafeNet KeySecure Appliance.

  • keyring_aws: A plugin that communicates with the Amazon Web Services Key Management Service for key generation and uses a local file for key storage.

The keyring_file plugin is not intended as a regulatory compliance solution, so either the keyring_okv or the keyring_aws plugin is recommended for a secure deployment.

If you have a KMIP-compatible product or an AWS KMS account and want to configure data encryption for your secure deployment, see Keyring Plugin Installation for plugin installation and configuration instructions.

Encrypting InnoDB Tables

After a keyring plugin is configured, InnoDB tables may be encrypted using the ENCRYPTION attribute with CREATE TABLE or ALTER TABLE. For instructions, refer to InnoDB Tablespace Encryption.

User Comments
Sign Up Login You must be logged in to post a comment.