Configure Transparent Data Encryption

To enable TDE on a database, a storage password must be added using NuoDB Admin. The database must exist but may or may not be running.

Now that the database has a storage password, encryption can be enabled and disabled using the ALTER DATABASE change encryption type command. Database administrator privileges are required to use this command.

To encrypt the database, set the encryption type to AES128 or AES256. For example, to set the encryption type to AES128, run:

To decrypt the database, set the encryption type to NONE.

The encryption type for SMs and TEs that were not running when the encryption type was changed will update automatically when the SMs and TEs start. The database always has the same encryption type on all nodes.

To check the current encryption type of the database, query the NODES System Table.

For example:

Here, the encryption type for the database is AES128 and background encryption is complete.

If SMs are in the process of encrypting their archives, the percentage of data that has been encrypted will be shown in the DISK_ENCRYPTION column.

For example:

If the database is not encrypted, DISK_ENCRYPTION is NONE.

For example:

Here, the encryption type for the database is NONE and background decryption is complete.

Decryption of archives will also proceed in the background. If SMs are in the process of decrypting their archives, the percentage of data that has been decrypted will be shown in the DISK_ENCRYPTION column.

Use the nuoarchive tool to verify the storage password that a non-running archive is encrypted with.

If the archive is encrypted, nuoarchive check will prompt for the storage password when run on the archive.

For example:

Alternatively, the storage password may be provided to nuoarchive via the NUODB_STORAGE_PASSWORD environment variable.

To change the storage password for a TDE-enabled database, the current storage password must be specified with the --current-password argument:

The current storage password is verified (see the note below) before the database’s storage password is updated. Any SMs that are not running when the storage password is changed will update their storage password when they are started. Database archives do not need to be re-encrypted when the storage password is changed: it happens immediately so the data_encryption column of the system.nodes table will not show a percentage complete.

All passwords that are used to encrypt any archive which belongs to the database must be provided using the --existing-passwords option during password rotation. NuoDB Admin will automatically add the current password to the specified list of existing passwords. Common situations that require adding existing passwords are:

Each AP in the domain preserves in memory all storage passwords that have been configured since the domain started. When a new AP joins the domain, it is provided with all storage passwords known to the domain. If the entire domain is stopped, all storage passwords are forgotten: no storage passwords will be present when the domain restarts. In this situation the domain administrator must use the update data-encryption command to re-add storage passwords before encrypted databases can be restarted.

Normally, all archives in a database will use the current storage password for that database. However, if an archive is offline when the storage password is changed, or if an archive is restored from an encrypted hot copy created with a different storage password, the domain will need to know the older storage password(s) as well.

If the domain does not have the storage password needed to start an SM, the domain administrator must add older required storage passwords using the --existing-passwords argument to update data-encryption. Although the --new-password option must also be provided, it may have the same value as the --current-password to avoid changing the current storage password: