How TiDB Ensures Data Security

This topic has been translated from a Chinese forum by GPT and might contain errors.

Original topic: TIDB是如何保证数据安全的

| username: 小于同学

To improve efficiency, please provide the following information. A clear problem description will help resolve the issue more quickly:

[Overview] I would like to know how TiDB addresses security issues. Are there any components for data encryption?

| username: tidb菜鸟一只 | Original post link

Currently, you can enable TLS encryption for transmission:

For data file encryption, there is encryption at rest:

If you want to encrypt data, it is recommended to perform encryption and decryption at the application level.

| username: TiDBer_RjzUpGDL | Original post link

First, TiDB supports static encryption, which means data is encrypted when stored. This can be done at the SSD drive, file system, or cloud provider level, but TiDB goes a step further by encrypting data before it is stored. This means that even if an attacker gains physical access to the machine, they cannot access the data by copying files from the disk because the data is already encrypted before storage. This encryption method requires attackers to authenticate through the database to access the data.

In a TiDB cluster, different components use different encryption methods. For example, components like TiKV, TiFlash, PD, and Backup & Restore (BR) support various encryption methods. TiKV and TiFlash nodes primarily store user data, while PD nodes store some metadata, such as secondary index keys used as TiKV Region boundaries. These components all support data encryption to ensure data security.

Additionally, TiDB enhances network security by setting up a whitelist through firewall iptables, establishing mutual trust between PD hosts, and rejecting external access.

Regarding inter-component communication, TiDB supports encrypted transmission. Once enabled, encrypted transmission is used between TiDB and TiKV, PD, TiKV and PD, TiDB Control and TiDB, TiKV Control and TiKV, PD Control and PD, and other components to ensure data security during transmission. Configuring encrypted transmission requires preparing the appropriate certificates and ensuring that the certificates can mutually verify each other.

In summary, TiDB addresses security issues through various methods and components, including data encryption and encrypted transmission strategies. These measures collectively enhance the security of the TiDB database, making it better equipped to handle various security threats and challenges.

| username: yulei7633 | Original post link

TiKV persistence uses Raft with at least three replicas to ensure data consistency and also guarantees that data is safe and not lost.

| username: TIDB-Learner | Original post link

Safety first

| username: 哈喽沃德 | Original post link


| username: system | Original post link

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.