Overview of Transparent Data Encryption
Functional Introduction
Transparent Data Encryption aims to protect data by encrypting and decrypting data stored on disk.
• Transparent:
When you open or edit the specified file, the system will automatically encrypt the unencrypted files and decrypt the encrypted files. Files are ciphertext on the hard disk and plaintext in memory. Once leaving the use environment, the application cannot be launched due to the absence of an automatic decryption service, thus effectively protecting the effect of the file content.
• Encryption:
TDE uses OpenSSL to provide the AES (Advanced Encryption Standard) algorithm for encrypting data and storing the key in a trusted location on the database server to ensure security.
Implementation Scheme of RDS-PostgreSQL Transparent Encryption
RDS-PostgreSQL generates the ciphertext and plaintext of the DEK (Data Encryption Key) data key through the symmetric master key created by the user in the data key service, encrypts the data through the DEK key, and encrypts the DEK key through the DEK ciphertext.
Enabling Transparent Data Encryption
The TDE function is not enabled for the default ordered RDS-PostgreSQL instance. You can select to enable it when ordering.
Application Scenarios
The RDS-PostgreSQL provides TDE functionality. To encrypt and decrypt the data stored on the disk to protect the data, you can enable this function.
² Note
• You can enable the TDE function when ordering an instance. However, once enabled, it cannot be disabled.
• You need to enable the key management services first. If not, you need to enable the key management service in advance (which must be in the same resource pool as the RDS-PostgreSQL instance) and create a symmetric key. For details, see Enabling the Key Management Service.
• The key used for encryption is generated by the key management service.
• The kernel versions that support encryption are as follows: 12.16_P3, 13.12_P2, 14.9_P2, 15.4_P2.
Procedure
1. Enter the Order page. For details, see Step I: Ordering an Instance.
2. Check Enabling Transparent Encryption in the cluster configuration item and select the data secret key in the key management service you want to use (currently only symmetric keys are supported). You need to enable the key management service if it is not enabled and create the key.
3. Enable the instance according to the enabling process, and view whether the database transparent encryption is enabled on the Console page.
² Note
• Currently, you can only enable the data transparent encryption function when you enable the instance. Once enabled, it cannot be disabled. If the function is not enabled when you enable the instance, you cannot enable this function later.
• To use this function, you need to enable the data key management service first and create a symmetric encryption key.
• Currently, only the East China 1 resource pool has this function and other resource pools do not.