MySQL Enterprise Transparent Data Encryption (TDE)
MySQL Enterprise Transparent Data Encryption (TDE) protects your critical data by enabling data-at-rest encryption in the database. It protects the privacy of your information, prevents data breaches and helps meet regulatory requirements including the Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA) and numerous others.
Data at Rest Encryption
MySQL Enterprise TDE enables data-at-rest encryption by encrypting the physical files of the database. Data is encrypted automatically, in real time, prior to writing to storage and decrypted when read from storage. As a result, hackers and malicious users are unable to read sensitive data from tablespace files, database backups or disks. MySQL Enterprise TDE uses industry standard AES algorithms.
Encryption Key Management and Rotation
MySQL Enterprise TDE uses a two-tier encryption key architecture, consisting of a master encryption key and tablespace keys, which provides easy key management and rotation. Tablespace keys are managed automatically behind the scenes over Oasis KMIP protocol while the master encryption key is stored in a centralized key management solution such as Oracle Key Vault, Gemalto KeySecure, Thales Vormetric key management server, Fornetix Key Orchestration, or AWS KMS which enforces clear separation of keys from encrypted data. Centralized key management solutions automate key rotation and storing historical keys.
Database table encryption and decryption occurs without any additional coding, data type or schema modifications. Also, users and applications continue to access data transparently, without changes. MySQL Enterprise TDE gives developers and DBAs the flexibility to encrypt/decrypt existing MySQL tables that have not already been encrypted.
MySQL Enterprise TDE leverages database caching to achieve high performance and requires zero downtime to implement.