Note: If you want to trial Oracle Key Vault it can be downloaded from the Oracle Software Delivery Cloud at. rw-rw-r- 1 rob rob 1675 lip 7 18:49 key.pemįrom now on we will call this folder okv_enrollment. rw-rw-r- 1 rob rob 427 lip 7 18:49 okvclient.oraĭrwxrwxr-x 2 rob rob 4096 lip 7 18:49 ssl
Go to this link to find information on how to accomplish this:Īs the result you should have a configured endpoint in Oracle Key Vault and the configuration folder which should look like this: # ls -l This, of course, needs to be stored securely.
This folder will contain credentials to log into Oracle Key Vault. Once you are done with that, you will have to create a configuration folder for keyring_okv. Setting up MySQL TDE Get Oracle Key Vault Credentialsįirst you will need to set up an account in Oracle Key Vault and create an endpoint (the key storage that keyring_okv plugin will talk to). In this post, I will show you how easy it is to use this new feature to encrypt your InnoDB tables (requires a licensed version of the MySQL Enterprise Edition MySQL 5.7.11 or higher). It uses Electronic Codebook (ECB) block encryption mode for tablespace key encryption and Cipher Block Chaining (CBC) block encryption mode for data encryption. MySQL Enterprise TDE supports the Advanced Encryption Standard (AES) block-based encryption algorithm. MySQL does include tablespace encryption with the community version but that is not TDE as it doesn’t meet requirements #3 and #4 – the keys aren’t necessarily secured. Oracle Key Vault enables you to quickly deploy encryption and other security solutions by centrally managing encryption keys not only for MySQL, but across many things, including (but not limited to) Oracle Wallets, Java Keystores, and credential files.ġ – Applications aren’t aware of encryption – it is provided seamlessly and doesn’t require any changesĢ – The data is encrypted at-rest – so the operating system users or other access to the files on the media or the file system can’t read the data (without a key)ģ – The keys are secured, available and protected – you can’t leave the key in the door (or under the mat)Ĥ – The keys are never written to the filesystem (in plain text) To ensure your keys are available, secure, auditable, etc., you will want to use a key-vault management software application such as Oracle Key Vault. Losing keys (whether by accident, mismanagement, or getting hacked) means you lose your data. The protocol is KMIP and it comes from OASIS. There are various key vaults in the market and there’s also a common industry protocol supported by most vaults. This action is referred to as master-key rotation and it re-encrypts all of the tablespace keys in one atomic operation very rapidly (milliseconds). With a two-tiered scheme, the decrypted version of a tablespace key never changes, but the master encryption key may be changed as required. Databases and their tablespaces can get large, and had we chosen a single-tiered method, then key rotation would require re-encrypting entire tablespaces.
When the the user first enables TDE, and when the server starts up or when the master key is rotated – the master key is requested and updated from the key vault.
The master key nor any of the tablespace keys are ever written to disk in plain text. Using a key vault, this key ring is both persisted and protected. The master encryption key is stored in memory on the MySQL keyring. When encrypting tablespace data, InnoDB transparently uses the master encryption key to decrypt the tablespace key and then uses it to encrypt (on write) and decrypt (on read). When an InnoDB table is encrypted, a tablespace key is encrypted with the master key and the encrypted value of the tablespace key is stored in the tablespace header. MySQL Enterprise TDE uses a two-tier encryption key architecture, consisting of a master encryption key and tablespace keys. This feature provides at-rest encryption for physical tablespace data files. With MySQL version 5.7.11 and up, Oracle continues to improve MySQL’s security features by adding MySQL Enterprise Transparent Data Encryption (TDE) for InnoDB tables stored in innodb_file_per_table tablespaces.