Configuring Transparent Data Encryption
Transparent Data Encryption (TDE) allows user data to be encrypted before being written to disk. Before encryption can be enabled on a database, the domain administrator must configure a storage password for the database. All SMs and TEs in the database will use this storage password as a key to secure the encrypted data. The storage password can be initialized or changed at any time, whether the database is running or not. If a storage password is already configured for the database it must be supplied in order to change to a different storage password.
To enable TDE on a database, a storage password must be added using NuoDB Admin. The database must exist but may or may not be running.
$ nuocmd update data-encryption --db-name <DB-name> \ --new-password <password> \ --is-initial-password
Now that the database has a storage password, encryption can be enabled and disabled using the ALTER DATABASE CHANGE ENCRYPTION TYPE command. Database administrator privileges are required in order to use this command.
To encrypt the database, set the encryption type to
SQL> alter database change encryption type AES128;
To decrypt the database, set the encryption type to
SQL> alter database change encryption type NONE;
Any SMs and TEs which are not running when the encryption type is changed will change their encryption type automatically when they are started. The database always has the same encryption type on all nodes.
The current encryption type of the database can be determined by querying the
system.nodes system table.
SQL> select startid,address,type,disk_encryption from system.nodes; STARTID ADDRESS TYPE DISK_ENCRYPTION ------- ---------- ----------- ---------------- 0 172.18.0.2 Storage AES128 2 172.18.0.3 Storage AES128 1 172.18.0.2 Transaction AES128 3 172.18.0.3 Transaction AES128
The example above shows that the encryption type has been set to
AES128 for this database, and all background encryption has been completed.
If SMs are in the process of encrypting their archives, the percentage of data that has been encrypted will be shown in the
DISK_ENCRYPTION column; for example:
SQL> select startid,address,type,disk_encryption from system.nodes; STARTID ADDRESS TYPE DISK_ENCRYPTION ------- ---------- ----------- ------------------ 0 172.18.0.2 Storage AES128 50.67% 2 172.18.0.3 Storage AES128 62.11% 1 172.18.0.2 Transaction AES128 3 172.18.0.3 Transaction AES128
If the database is not encrypted,
DISK_ENCRYPTION will contain
Decryption of archives will also proceed in the background; in that case the
disk_encryption column will show the percentage complete for decryption.
nuoarchive tool can be used to verify the storage password that a non-running archive is encrypted with.
If the archive is encrypted,
nuoarchive will prompt for the storage password when run on the archive:
$ nuoarchive check /var/opt/nuodb/archive/mydb Enter Storage Password: ... [INFO ] nuochk: Archive verification found no issues.
Alternatively, the storage password may be provided to
nuoarchive via the
NUODB_STORAGE_PASSWORD environment variable.
To change the storage password for a TDE-enabled database, the current storage password must be specified with the
$ nuocmd update data-encryption --db-name <DB-name> \ --current-password <current-password> \ --new-password <new-password> \ --existing-passwords <old-password-1> <...> <old-password-n>
The current storage password is verified (see the note below) before the database’s storage password is updated.
Any SMs that are not running when the storage password is changed will update their storage password when they are started.
Database archives do not need to be re-encrypted when the storage password is changed: it happens immediately so the
data_encryption column of the
system.nodes table will not show a percentage complete.
All passwords that are used to encrypt any archive which belongs to the database must be provided using the
--existing-passwords option during password rotation.
NuoDB Admin will automatically add the current password to the specified list of existing passwords.
Common situations that require adding existing passwords are:
An SM is not in a RUNNING state when two or more subsequent TDE password rotations were performed
The database archive has been restored from a backup that was encrypted with a password different from the current one
Each AP in the domain preserves in memory all storage passwords that have been configured since the domain started.
When a new AP joins the domain it is provided with all storage passwords known to the domain.
If the entire domain is stopped, all storage passwords are forgotten: no storage passwords will be present when the domain restarts.
In this situation the domain administrator must use the
update data-encryption command to re-add storage passwords before encrypted databases can be restarted.
Storage passwords are never made durable; however a one-way salted hash of the current storage password is saved in the NuoDB Admin Raft log.
It is not possible to recover the storage password from this hash, but it will be used to verify that passwords provided to
Normally all archives in a database will use the current storage password for that database. However, if an archive is offline when the storage password is changed, or if an archive is restored from an encrypted hot copy created with a different storage password, the domain will need to know the older storage password(s) as well.
If the domain does not have the storage password needed to start an SM, the domain administrator must add older required storage passwords using the
--existing-passwords argument to
--new-password option must also be provided, it may have the same value as the
--current-password to avoid changing the current storage password:
$ nuocmd update data-encryption --db-name <DB-name> \ --current-password <current-password> \ --new-password <current-password> \ --existing-passwords <old-password-1> <...> <old-password-n>