Feature Background
As data security requirements become increasingly stringent, information security protection laws across countries and regions stipulate that databases must be encrypted for storage. Data encryption helps prevent data leaks caused by accidental loss of data files.
Feature Overview
TencentDB for PostgreSQL offers Transparent Data Encryption (TDE) functionality, which provides seamless encryption and decryption operations for users. It supports real-time I/O encryption and decryption of data files, encrypting data before writing to disk and decrypting it when read into memory, meeting compliance requirements for static data encryption. The keys used for encryption are generated and managed by the Key Management Service (KMS).
KMS is a key service provided by Tencent Cloud to protect data and key security. All processes involved in the service use high-security protocols for communication, ensuring high security. It offers distributed cluster management and hot backup, guaranteeing high reliability and availability.
KMS employs a two-layer key system, involving two types of keys: Customer Master Keys (CMKs) and Data Keys. CMKs are used to encrypt Data Keys or small packets of data such as passwords, certificates, and configuration files (up to 4KB). Data Keys are used to encrypt business data. Massive amounts of business data are encrypted using Data Keys in a symmetric encryption manner during storage or communication, while Data Keys are protected through asymmetric encryption using CMKs. This two-layer key system ensures data file encryption.
Supported Versions
Encryption functionality is supported for kernel minor versions equal to or higher than v10.17_r1.2, v11.12_r1.2, v12.7_r1.2, v13.3_r1.2, and v14.2_r1.0.
Scenarios
Transparent data encryption means that data encryption/decryption operations are imperceptible to users. It supports real-time I/O encryption/decryption of data files; that is, data will be encrypted before being written to the disk and decrypted when being read from the disk into the memory. This helps meet the compliance requirements for static data encryption.
Notes
For detailed information on enabling Transparent Data Encryption and database transparent encryption, please refer to Transparent Data Encryption.