MySQL Enterprise TDE
This document provides instructions for integrating MySQL Enterprise TDE with the Futurex KMES Series 3 through KMIP. For additional questions about your KMES Series 3 device, refer to the KMES Series 3 user guide.
MySQL Enterprise Edition, offered by Oracle Corporation as part of the Oracle enterprise portfolio, is a commercial version of MySQL, an open-source relational database management system.
MySQL Enterprise includes the core MySQL Server along with additional enterprise-grade features, tools, and services that provide enhanced performance, security, and uptime, compared to the community edition. It serves businesses that want to use MySQL as part of their IT infrastructure but require additional features (such as Transparent Data Encryption (TDE)) or support levels that the community edition doesn't provide.
Key components of MySQL Enterprise Edition include the following products:
- MySQL Enterprise Server
- MySQL Enterprise Backup
- MySQL Enterprise Monitor
- MySQL Enterprise Security
- MySQL Enterprise Scalability
- MySQL Enterprise Authentication
- MySQL Enterprise Firewall
- MySQL Enterprise Audit
- MySQL Enterprise High Availability
- MySQL Router
- MySQL Workbench
- MySQL Technical Support
Key Management Interoperability Protocol (KMIP) is an extensible communication protocol that defines message formats for manipulating cryptographic keys on a key management server. This facilitates data encryption by simplifying encryption key management. You can create keys on a server and then retrieve them, possibly wrapped by other keys. It supports both symmetric and asymmetric keys and certificate signing. KMIP also enables clients to ask a server to encrypt or decrypt data, without needing direct access to the key.
MySQL Enterprise TDE enables data-at-rest encryption by encrypting the physical files of the database. It encrypts data automatically, in real-time, before writing to storage and decrypts it when reading from storage. As a result, hackers and malicious users cannot read sensitive data directly from database files. MySQL Enterprise TDE uses industry-standard AES algorithms.
MySQL Enterprise TDE includes the following file encryption coverage:
MySQL Enterprise TDE uses a two-tier encryption key architecture, consisting of a master encryption key and tablespace keys, providing easy key management and rotation. You can manage tablespace keys automatically over secure protocols and store the master encryption key in a centralized key management solution (such as the KMES Series 3). By integrating with an external key management system, MySQL enforces a clear separation of keys from encrypted data.
Database table encryption and decryption occur without any additional coding, data type, or schema modifications. Also, users and applications continue to access data transparently, without changes. MySQL Enterprise TDE gives developers and DBAs the flexibility to encrypt and decrypt tables and access MySQL tables that are not encrypted.
This guide covers the following tasks:
- Configure TLS certificates for mutual authentication.
- Create a role and identity on the KMES Series 3 for MySQL.
- Install the keyring_okv KMIP plugin on MySQL Enterprise.
- Enable and test TDE in MySQL Workbench.
The following sections show you how to perform these tasks.