Configuring Transparent Data Encryption

Transparent Data Encryption (TDE) allows user data to be encrypted before being written to disk. Before encryption can be enabled on a database, the domain administrator must configure a storage password for the database. All SMs and TEs in the database will use this storage password as a key to secure the encrypted data. The storage password can be initialized or changed at any time, whether the database is running or not. If a storage password is already configured for the database it must be supplied in order to change to a different storage password.

Setting up Transparent Data Encryption

To enable TDE on a database, a storage password must be added using NuoDB Admin. The database must exist but may or may not be running.

$ nuocmd update data-encryption --db-name <DB-name> \
    --new-password <password> \

Now that the database has a storage password, encryption can be enabled and disabled using the ALTER DATABASE CHANGE ENCRYPTION TYPE command. Database administrator privileges are required in order to use this command.

To encrypt the database, set the encryption type to AES128:

SQL> alter database change encryption type AES128;

To decrypt the database, set the encryption type to NONE:

SQL> alter database change encryption type NONE;

Any SMs and TEs which are not running when the encryption type is changed will change their encryption type automatically when they are started. The database always has the same encryption type on all nodes.

Confirming that TDE is enabled

The current encryption type of the database can be determined by querying the system.nodes system table.

SQL> select startid,address,type,disk_encryption from system.nodes;

 ------- ---------- ----------- ----------------

    0 Storage         AES128
    2 Storage         AES128
    1 Transaction     AES128
    3 Transaction     AES128

The example above shows that the encryption type has been set to AES128 for this database, and all background encryption has been completed. If SMs are in the process of encrypting their archives, the percentage of data that has been encrypted will be shown in the DISK_ENCRYPTION column; for example:

SQL> select startid,address,type,disk_encryption from system.nodes;

 ------- ---------- ----------- ------------------

    0 Storage       AES128 50.67%
    2 Storage       AES128 62.11%
    1 Transaction   AES128
    3 Transaction   AES128

If the database is not encrypted, DISK_ENCRYPTION will contain NONE. Decryption of archives will also proceed in the background; in that case the disk_encryption column will show the percentage complete for decryption.

The nuoarchive tool can be used to verify the storage password that a non-running archive is encrypted with. If the archive is encrypted, nuoarchive will prompt for the storage password when run on the archive:

$ nuoarchive check /var/opt/nuodb/archive/mydb
Enter Storage Password:
[INFO ] nuochk: Archive verification found no issues.

Alternatively, the storage password may be provided to nuoarchive via the NUODB_STORAGE_PASSWORD environment variable.

Change the Storage Password for a Database

To change the storage password for a TDE-enabled database, the current storage password must be specified with the --current-password argument:

$ nuocmd update data-encryption --db-name <DB-name> \
    --current-password <current-password> \
    --new-password <new-password> \
    --existing-passwords <old-password-1> <...> <old-password-n>

The current storage password is verified (see the note below) before the database’s storage password is updated. Any SMs that are not running when the storage password is changed will update their storage password when they are started. Database archives do not need to be re-encrypted when the storage password is changed: it happens immediately so the data_encryption column of the system.nodes table will not show a percentage complete.

All passwords that are used to encrypt any archive which belongs to the database must be provided using the --existing-passwords option during password rotation. NuoDB Admin will automatically add the current password to the specified list of existing passwords. Common situations that require adding existing passwords are:

  • An SM is not in a RUNNING state when two or more subsequent TDE password rotations were performed

  • The database archive has been restored from a backup that was encrypted with a password different from the current one

Lifetime of the Storage Password

Each AP in the domain preserves in memory all storage passwords that have been configured since the domain started. When a new AP joins the domain it is provided with all storage passwords known to the domain. If the entire domain is stopped, all storage passwords are forgotten: no storage passwords will be present when the domain restarts. In this situation the domain administrator must use the update data-encryption command to re-add storage passwords before encrypted databases can be restarted.

Storage passwords are never made durable; however a one-way salted hash of the current storage password is saved in the NuoDB Admin Raft log. It is not possible to recover the storage password from this hash, but it will be used to verify that passwords provided to update data-encryption --current-password are correct even after domain restart.

Normally all archives in a database will use the current storage password for that database. However, if an archive is offline when the storage password is changed, or if an archive is restored from an encrypted hot copy created with a different storage password, the domain will need to know the older storage password(s) as well.

If the domain does not have the storage password needed to start an SM, the domain administrator must add older required storage passwords using the --existing-passwords argument to update data-encryption. Although the --new-password option must also be provided, it may have the same value as the --current-password to avoid changing the current storage password:

$ nuocmd update data-encryption --db-name <DB-name> \
    --current-password <current-password> \
    --new-password <current-password> \
    --existing-passwords <old-password-1> <...> <old-password-n>