MySQL Secure Deployment Guide  /  Transparent Data Encryption (TDE)

Appendix A Transparent Data Encryption (TDE)

The InnoDB storage engine supports transparent data encryption, which provides data-at-rest encryption for physical tablespace data files.

This feature uses a two tier encryption key architecture, consisting of a master encryption key and tablespace keys. When a table is encrypted, a tablespace key is encrypted and stored in the tablespace header. When an application or authenticated user wants to access encrypted tablespace data, a master encryption key is used to decrypt the tablespace key.

A MySQL Keyring plugin is required for master encryption key management. MySQL provides these plugin choices:

  • keyring_file: Stores master encryption key data in a keyring file in the location specified by the keyring_file_data configuration option.

  • keyring_encrypted_file: Stores master encryption key data in an encrypted keyring file in the location specified by the keyring_encrypted_file_data configuration option.

  • keyring_okv: Uses a KMIP-compatible product as a back end for keyring storage. Supported products include centralized key management solutions such as Oracle Key Vault, Gemalto KeySecure, Thales Vormetric key management server, and Fornetix Key Orchestration.

  • keyring_aws: Communicates with the Amazon Web Services Key Management Service for key generation and uses a local file for key storage.

The keyring_file and keyring_encrypted_file plugins are not intended as regulatory compliance solutions, so the other plugins are recommended for a secure deployment.

If you have a KMIP-compatible product or an AWS KMS account and want to configure data encryption for your secure deployment, see Keyring Plugin Installation for instructions.

Encrypting InnoDB Tables

After a keyring plugin is configured, InnoDB tables may be encrypted using the ENCRYPTION attribute with CREATE TABLE or ALTER TABLE. For instructions, refer to InnoDB Tablespace Encryption.


User Comments
Sign Up Login You must be logged in to post a comment.