MySQL Enterprise Transparent Data Encryption (TDE)
MySQL Enterprise Transparent Data Encryption (TDE) protects your critical data by enabling data-at-rest encryption in the database. It protects the privacy of your information, prevents data breaches and helps meet regulatory requirements including:
- Payment Card Industry Data Security Standard (PCI DSS)
- Health Insurance Portability and Accountability Act (HIPAA)
- General Data Protection Regulation (GDPR)
- California Consumer Protection Act (CCPA)
- And more
MySQL Enterprise Transparent Data Encryption (TDE)
Data at Rest Encryption
MySQL Enterprise TDE enables data-at-rest encryption by encrypting the physical files of the database. Data is encrypted automatically, in real time, prior to writing to storage and decrypted when read from storage. As a result, hackers and malicious users are unable to read sensitive data directly from database files. MySQL Enterprise TDE uses industry standard AES algorithms.
File encryption coverage:
- File-Per-Table Tablespace Encryption
- General Tablespace Encryption
- Doublewrite File Encryption
- MySQL System Tablespace Encryption
- Redo Log Encryption
- Undo Log Encryption
- Binary log and Relay Log Encryption
- Audit Log Encryption
Encryption Key Management and Rotation
MySQL Enterprise TDE uses a two-tier encryption key architecture, consisting of a master encryption key and tablespace keys providing easy key management and rotation. Tablespace keys are managed automatically over secure protocols while the master encryption key is stored in a centralized key management solution such as:
Oasis KMIP protocol implementations:
- Oracle Key Vault
- Gemalto KeySecure
- Thales Vormetric Key Management Server
- Fornetix Key Orchestration
- Townsend Alliance Key Manager
- Entrust KeyControl
MySQL Enterprise TDE also supports HTTPS based APIs for Key Management such as:
MySQL enforces clear separation of keys from encrypted data using these centralized key management solutions automate key rotation and storing historical keys.
Transparent Protection
Database table encryption and decryption occurs without any additional coding, data type or schema modifications. Also, users and applications continue to access data transparently, without changes. MySQL Enterprise TDE gives developers and DBAs the flexibility to encrypt/decrypt existing MySQL tables that have not already been encrypted.
High Performance
MySQL Enterprise TDE leverages database caching to achieve high performance and requires zero downtime to implement.