Transparent Data Encryption

Encrypted content is secured with a storage password, which must be provided by the domain administrator using NuoDB Admin. This password is separate from any SQL user password. It is used only for TDE and must be provided to the domain before starting a TDE-enabled database. It will also need to be provided by the user when using nuoarchive on a TDE-enabled archive or hot copy. Each database has its own storage password and all SMs and TEs in a database use the same storage password.

Storage passwords are never saved to disk by any NuoDB process.

NuoDB Admin will preserve storage passwords in memory throughout the domain. Upon joining an existing domain, new NuoDB Admin Processes will be provided with the storage passwords known by the domain. If the domain is fully restarted, the domain administrator must provide NuoDB Admin with the storage password in effect when each TDE-enabled database was shut down, before that database can be restarted.

NuoDB Admin does not write the storage password to disk but it will store a one-way hash of the storage password into the raft log. The storage password cannot be recovered from this hashed value and so the hashed value cannot be used to start a database; it is used to verify that the domain administrator knows the current storage password before it can be changed.

The storage password is necessary, but not sufficient, to allow decryption of the archive: additional encryption information is stored in the archive itself, in the state.dat file. If this file is lost or corrupted then the archive cannot be recovered, even if the storage password is known and the rest of the archive is still available.

The preferred solution for an unrecoverable archive is either to remove it and allow it to be synced from another SM in the database, or if that is not possible to recover the archive from backup and restart the database using the recovered copy.

To preserve the possibility of decrypting the archive when the state.dat file is lost or corrupted, you can run nuoarchive check --show-archive-history <archive-dir> and preserve the generated XML output. There is no way for users to rebuild the state.dat file from this XML output: in the event of this last resort you will have to contact NuoDB Support for assistance, and provide them with the XML file.

When the encryption type is changed using the ALTER DATABASE CHANGE ENCRYPTION command, SMs and TEs will immediately start using the new encryption type for all data written to disk. In addition, SMs will start converting their archives to the new encryption type in the background. The SMs will attempt to ensure that this conversion doesn’t adversely impact the normal operation of the database, so the encryption may take some time to complete for larger archives.

If the SM is restarted while encryption is in progress, the encryption will automatically start from where it left off and run to completion. It is not necessary to wait for the conversion to complete before changing the encryption type again: the previous conversion will be canceled and the new conversion started. For example, it is possible to enable encryption then disable it again, before the encryption had completed.

The state of encryption for each node can be monitored by querying the disk_encryption column in the system.nodes SQL table. While encryption is in progress the disk_encryption column will contain both the encryption type and a percentage of the archive which has been encrypted. When encryption is complete disk_encryption will contain only the cipher name.

Backups created from databases with TDE enabled will also be encrypted. The storage password for the backup will be the one in effect when it was created. A backup set may have a different storage password for different backup elements if the storage password was changed while the backup set was active. The storage password(s) required to decrypt the backup should be placed into escrow at the same time as the backup, to ensure it can be recovered.

When restoring a backup set with TDE enabled, nuoarchive restore will ask for the storage password.