Enable and test TDE in MySQL Workbench

7min
MySQL Workbench is a versatile visual tool for database design, SQL development, and server administration. It offers advanced data modeling, query building, and MySQL-specific features for easier management of MySQL databases.
This section demonstrates the following tasks:
Connect to your MySQL Server from MySQL Workbench.
Use MySQL Workbench to create a new database table with Transparent Data Encryption (TDE) enabled. This generates an AES-256 key on the KMES Series 3 that serves as the master encryption key for MySQL TDE. 
Insert example data into the table and list the contents to verify that the data is decrypted transparently.
Confirm that we can successfully rotate the master encryption key stored on the KMES.
Connect to your MySQL Server instance by using MySQL Workbench
1
Launch MySQL Workbench: Start the program on your computer to open the initial dashboard.
2
Open Database Connection Window: On the MySQL Workbench dashboard, locate the section titled MySQL Connections and select the [+] button.
3
Input Connection Details: In the Setup New Connection window, input the details of your MySQL server connection.
Option
Description or required configuration
﻿
Connection Name
A label for your reference.
﻿
Connection Method
Typically, select Standard (TCP/IP) for connecting to a standard MySQL server. There are other methods available, like TCP/IP over SSH, or a local socket/pipes for local connections.
﻿
Hostname
The IP address or domain name of the MySQL server you're connecting to. If your MySQL server is on the same machine as your MySQL Workbench, you can use localhost.
﻿
Port
The port number that the MySQL server is listening on. The default MySQL port is 3306.
﻿
Username
The username you use to authenticate with the MySQL server.
﻿
Password
If your account requires a password, select [ Store in Vault... ] to enter and save your password
﻿
4
Test connection: After you enter the preceding details, select [ Test Connection ] to ensure that your settings are correct and that MySQL Workbench can reach the MySQL server.
5
Connect: If the test succeeds, select [ OK ] to close the window and save the connection. Then, you can just double-click on the saved connection to connect to your MySQL server.
Create a new database table with TDE enabled
1
Open a new SQL tab for executing queries.
2
Run the following query to create a new encrypted table called t1 in the world schema/database, which is a sample database that comes pre-installed in MySQL:
MySQL
USE world;
CREATE TABLE t1 (column1 INT) ENCRYPTION='Y';
USE world;
CREATE TABLE t1 (column1 INT) ENCRYPTION='Y';
﻿
Alternatively, you can enable encryption for an existing table by using the following SQL query:
MySQL
ALTER TABLE t1 ENCRYPTION='Y';
ALTER TABLE t1 ENCRYPTION='Y';
﻿
Insert example data into the table
1
Open a new SQL tab for executing queries.
2
Run the following query to insert example data into the t1 table:
MySQL
USE world;
INSERT INTO t1 (column1) VALUES (10), (20), (30);
USE world;
INSERT INTO t1 (column1) VALUES (10), (20), (30);
﻿
Verify the data is decrypted transparently
1
Open a new SQL tab for executing queries.
2
Run the following query to retrieve the data you inserted into the t1 table:
MySQL
SELECT * FROM t1;
SELECT * FROM t1;
﻿
This should return the rows you just inserted, unencrypted.
From the user perspective, using Transparent Data Encryption (TDE) is indeed transparent: data is automatically decrypted when you select it, and you won't see any difference compared to unencrypted data. TDE is about securing data at rest—that is, the data files on disk are encrypted. When data is read from disk into memory, it's automatically decrypted by the MySQL server. When data is written back to disk, it's automatically encrypted. So, as a user, you won't see any difference between encrypted and unencrypted data when you're querying it. The encryption doesn't affect the data itself, just how the data is stored on disk. The purpose of TDE is to protect data if someone gets unauthorized access to the raw database files on the disk.
Rotate the TDE master key
1
Open a new SQL tab for executing queries.
2
Run the following query to rotate the TDE master key:
MySQL
ALTER INSTANCE ROTATE INNODB MASTER KEY;
ALTER INSTANCE ROTATE INNODB MASTER KEY;
﻿
3
Verify the rotation by inserting some new data into your encrypted table and then retrieving it:
MySQL
INSERT INTO t1 (column1) VALUES (40);
SELECT * FROM t1;
INSERT INTO t1 (column1) VALUES (40);
SELECT * FROM t1;
﻿
If the insert and select operations succeed, MySQL can use the new key to encrypt and decrypt data.
The process of key rotation doesn't re-encrypt existing data with the new key—it just uses the new key for new encryptions. You must retain the old versions of the key as long as there is data that was encrypted with them.
View the MySQL TDE master keys on the KMES
1
Log in to the KMES Series 3 application interface with the default Admin identities.
2
Go to Key Management > Keys. You can see the keys that MySQL TDE created through KMIP in its respective key group.
﻿
﻿
Install the keyring_okv KMIP plugin on MySQL Enterprise
Oracle Database TDE