Skip to main content

Transparent Data Encryption

CelerData supports protecting your data in an elastic cluster with Transparent Data Encryption (TDE).

Overview

Transparent Data Encryption (TDE) is a technology designed to protect database data. It encrypts and decrypts stored data at the database engine layer, ensuring that the process is transparent to users and applications. TDE encrypts data when it is written to the object storage, ensuring that all stored data is secure, and automatically decrypts data when accessed by applications, eliminating the need for any modifications to the application.

The primary advantages of TDE include:

  • Compliance Requirements: TDE helps companies meet regulatory requirements, such as GDPR and HIPAA, by ensuring that stored sensitive data is encrypted.
  • Reduced Risk of Data Breach: Even if database files are illegally accessed or stolen, unauthorized users cannot read the data.
  • Ease of Use: TDE is transparent to applications and there is no need to modify them, providing efficient encryption protection.

When TDE is enabled, all user data is encrypted on object storage. The encryption keys are managed by AWS KMS.

The encryption and decryption process is as follows:

  1. Users specify the Master Key (an AWS KMS key) when creating a cluster.
  2. CelerData uses the Master Key to generate and periodically rotate the Key Encryption Key (KEK).
  3. For each new data file, a new Data Encryption Key (DEK) is generated using the KEK. A DEK consists of the plaintext part and the ciphertext part. The data files are encrypted using the plaintext part, while the ciphertext part is stored in the metadata.
  4. When users access data, CelerData retrieves the DEK ciphertext part from the metadata, and decrypts it using the KEK to obtain the DEK plaintext part, which is then used to decrypt the data file.

Usage

You can enable Transparent Data Encryption for your elastic cluster only when deploying the cluster. For more information, see Deployment on AWS.

To enable Transparent Data Encryption, you must specify the region and ARN of your AWS KMS key. And if you use Assumed Role instead of Instance Profile to access AWS, you will also need to provide the IAM role ARN to allow CelerData access to the key stored in KMS. For the comparison between the two authentication methods, see Comparison between authentication methods.

KMS will manage the Master Key and generate KEK with its GenerateDataKey API. CelerData will not store or cache the cryptographic key.

For more instructions on how to create a KMS key, see Create a KMS key.

Observability

CelerData provides a variety of metrics for monitoring the Transparent Data Encryption feature.

encryption_keys_created

  • Unit: -
  • Type: Cumulative
  • Description: Number of file encryption keys created for file encryption.

encryption_keys_unwrapped

  • Unit: -
  • Type: Cumulative
  • Description: This metric records the total number of decryption operations.

encryption_keys_in_cache

  • Unit: -
  • Type: Instantaneous
  • Description: Number of encryption keys currently in the key cache.

encryption_bytes

  • Unit: Byte
  • Type: Cumulative
  • Description: Total number of bytes encrypted.

decryption_bytes

  • Unit: Byte
  • Type: Cumulative
  • Description: Total number of bytes decrypted.

Limitations

  • Currently, Transparent Data Encryption is only supported in elastic clusters.
  • Enabling Transparent Data Encryption for an existing cluster or modifying the Master Key configurations is not supported. The Master Key cannot be changed after setup.
  • Enabling Transparent Data Encryption can cause a performance loss of less than 10%.