TDE(Transparent Data Encryption) is to store all files constituting the database instance securely on the disk in an encrypted format (static data encryption), and then decrypt them when reading blocks from the disk. Data is unencrypted in memory.
TDE has the following characteristics:
The encryption is transparent from the application’s point of view.
It uses a single key to encrypt the whole cluster.
During startup, the server can access the key of the initialization database and provide the encryption key through a special configuration parameter, which specifies a custom key setting command for realizing special security requirements. TDE uses the standard encryption algorithm SM4 of GmSSL internally to encrypt/decrypt data blocks on the disk.
Use lt_initdb
passes in the TDE key through the -K option. Before creating a database instance,
you must write some code to ensure that the database can read the key during startup and instance creation.
Note that this key is never visible to anybody but the database server.
The key must be a 32 byte hexadecimal string, or an error will be reported when initializing the instance:
fatal: encryption key is too short, should be a 32 character hex key
Here is an example:
cat /somewhere/provide_key.sh #!/bin/sh echo 882fb7c12e80280fd664c69d2d636913
All you need is a program that prints the key to stdout, and make sure that LightDB is able to execute this program:
chmod +x /somewhere/provide_key.sh
Create a database instance:
lt_initdb -p 5432 -D ./data -K /somewhere/provide_key.sh
You can use lt_controldata
to determine whether the current instance has used transparent encryption.
At the end of the listing, you can find the encryption details.
The GUC parameter of lightdb_encryption_key_command
will exist in the lightdb.conf
configuration file, which ensures that the TDE key will be read again after each restart of the data.
Note that we don’t currently support in-place encryption of existing clusters. You will need to perform a dump and reload to an encrypted instance, or use logical replication to perform the migration online.