- Connect to your MySQL Server from MySQL Workbench.
- Use MySQL Workbench to create a new database table with Transparent Data Encryption (TDE) enabled. This generates an AES-256 key on the KMES Series 3 that serves as the master encryption key for MySQL TDE.
- Insert example data into the table and list the contents to verify that the data is decrypted transparently.
- Confirm that we can successfully rotate the master encryption key stored on the KMES.
Connect to the instance
Perform the following steps to connect to your MySQL Server instance by using MySQL Workbench:Open Database Connection Window: On the MySQL Workbench dashboard, locate the MySQL Connections section and select the [+] button.
Input Connection Details: In the Setup New Connection window, input the details of your MySQL server connection.
| Option | Description or required configuration |
|---|---|
| Connection Name | A label for your reference. |
| Connection Method | Typically, select Standard (TCP/IP) for connecting to a standard MySQL server. Other methods are available, such as TCP/IP over SSH or a local socket/pipes for local connections. |
| Hostname | The IP address or domain name of the MySQL server you’re connecting to. If your MySQL server is on the same machine as your MySQL Workbench, you can use localhost. |
| Port | The port number that the MySQL server is listening on. The default MySQL port is 3306. |
| Username | The username you use to authenticate with the MySQL server. |
| Password | If your account requires a password, select [ Store in Vault… ] to enter and save your password |
Test connection: After you enter the preceding details, select [ Test Connection ] to ensure that your settings are correct and that MySQL Workbench can reach the MySQL server.
Create a database table
Perform the following steps to create a new database table with TDE enabled:Insert data into the table
Perform the following steps to insert sample data into the table:Verify the data
Perform the following steps to verify the data is decrypted transparently:
From the user perspective, using Transparent Data Encryption (TDE) is indeed transparent: data is automatically decrypted when you select it, and you won’t see any difference compared to unencrypted data. TDE is about securing data at rest—that is, the data files on disk are encrypted. When data is read from disk into memory, it’s automatically decrypted by the MySQL server. When data is written back to disk, it’s automatically encrypted. So, as a user, you won’t see any difference between encrypted and unencrypted data when you’re querying it. The encryption doesn’t affect the data itself, just how the data is stored on disk. The purpose of TDE is to protect data if someone gets unauthorized access to the raw database files on the disk.
Rotate the master key
Perform the following steps to rotate the TDE master key:
The process of key rotation doesn’t re-encrypt existing data with the new key—it just uses the new key for new encryptions. You must retain the old versions of the key as long as there is data that they encrypted.