From a26bc485399f0320fd05fbedf12eda5d25ada20c Mon Sep 17 00:00:00 2001 From: yikeke Date: Fri, 5 Jun 2020 12:42:29 +0800 Subject: [PATCH 1/8] rename; add enable-encrypt-stored-data.md --- TOC.md | 3 +- enable-encrypt-stored-data.md | 45 +++++++++++++++++++ ... enable-tls-between-clients-and-servers.md | 24 +++++----- enable-tls-between-components.md | 6 +-- 4 files changed, 64 insertions(+), 14 deletions(-) create mode 100644 enable-encrypt-stored-data.md rename encrypted-connections-with-tls-protocols.md => enable-tls-between-clients-and-servers.md (92%) diff --git a/TOC.md b/TOC.md index 623e5248fcb2a..17acc3f5622a5 100644 --- a/TOC.md +++ b/TOC.md @@ -69,8 +69,9 @@ - [Placement Rules](/configure-placement-rules.md) + Secure + Transport Layer Security (TLS) - - [Enable TLS For MySQL Clients](/encrypted-connections-with-tls-protocols.md) + - [Enable TLS for MySQL Clients and Servers](/enable-tls-between-clients-and-servers.md) - [Enable TLS Between TiDB Components](/enable-tls-between-components.md) + - [Enable encrypted data storage](/enable-encrypt-stored-data.md) - [Generate Self-signed Certificates](/generate-self-signed-certificates.md) - [Encryption-At-Rest](/encryption-at-rest.md) + Monitor diff --git a/enable-encrypt-stored-data.md b/enable-encrypt-stored-data.md new file mode 100644 index 0000000000000..cbc8bd6b8b904 --- /dev/null +++ b/enable-encrypt-stored-data.md @@ -0,0 +1,45 @@ +--- +title: 为 TiDB 开启数据加密存储 +summary: 介绍如何为 TiDB 开启数据加密存储。 +category: how-to +--- + +# 为 TiDB 开启数据加密存储 + +在 TiDB 集群中,用户的数据都存储在 TiKV 中,配置了 TiKV 数据加密存储功能,就代表 TiDB 集群已经加密存储了用户的数据。本部分主要介绍如何配置 TiKV 的加密存储功能。 + +## 操作流程 + +1. 生成 token 文件。 + + token 文件存储的是密钥,用于对用户数据进行加密,以及对已加密的数据进行解密。 + + {{< copyable "shell-regular" >}} + + ```bash + ./tikv-ctl random-hex --len 256 > cipher-file-256 + ``` + + > **注意:** + > + > TiKV 只接受 hex 格式的 token 文件,文件的长度必须是 2n,并且小于等于 1024。 + +2. 配置 TiKV。 + + ```toml + [security] + # Cipher file 的存储路径 + cipher-file = "/path/to/cipher-file-256" + ``` + +> **注意:** +> +> 若使用 [TiDB Lightning](/tidb-lightning/tidb-lightning-overview.md) 向集群导入数据,如果目标集群开启了加密功能,Lightning 生成的 SST 文件也必须是加密的格式。 + +## 使用限制 + +目前 TiKV 数据加密存储存在以下限制: + +- 对之前没有开启加密存储的集群,不支持开启该功能。 +- 已经开启加密功能的集群,不允许关闭加密存储功能。 +- 同一集群内部,不允许部分 TiKV 实例开启该功能,部分 TiKV 实例不开启该功能。对于加密存储功能,所有 TiKV 实例要么都开启该功能,要么都不开启该功能。这是由于 TiKV 实例之间会有数据迁移,如果开启了加密存储功能,迁移过程中数据也是加密的。 diff --git a/encrypted-connections-with-tls-protocols.md b/enable-tls-between-clients-and-servers.md similarity index 92% rename from encrypted-connections-with-tls-protocols.md rename to enable-tls-between-clients-and-servers.md index 7d9ccd9eeb890..258761e833bd0 100644 --- a/encrypted-connections-with-tls-protocols.md +++ b/enable-tls-between-clients-and-servers.md @@ -1,13 +1,13 @@ --- -title: Enable TLS for MySQL Clients +title: Enable TLS Between TiDB Clients and Servers summary: Use the encrypted connection to ensure data security. category: how-to -aliases: ['/docs/dev/how-to/secure/enable-tls-clients/'] +aliases: ['/docs/dev/how-to/secure/enable-tls-clients/','/docs/dev/encrypted-connections-with-tls-protocols/'] --- -# Enable TLS for MySQL Clients +# Enable TLS Between TiDB Clients and Servers -It is recommended to use the encrypted connection to ensure data security because non-encrypted connection might lead to an information leak. +Non-encrypted connection between TiDB's server and client is used by default, which enables third parties that monitor channel traffic to know the data sent and received between the server and the client, including but not limited to query content, query results, etc. If a channel is untrustworthy (such as if the client is connected to the TiDB server via a public network), then a non-encrypted connection is prone to information leakage. In this case, for security reasons, it is recommended to use an encrypted connection. The TiDB server supports the encrypted connection based on the TLS (Transport Layer Security). The protocol is consistent with MySQL encrypted connections and is directly supported by existing MySQL clients such as MySQL operation tools and MySQL drivers. TLS is sometimes referred to as SSL (Secure Sockets Layer). Because the SSL protocol has [known security vulnerabilities](https://en.wikipedia.org/wiki/Transport_Layer_Security), TiDB does not support it. TiDB supports the following versions: TLS 1.0, TLS 1.1, and TLS 1.2, TLS 1.3. @@ -79,12 +79,6 @@ ssl-key = "certs/server-key.pem" If the certificate parameters are correct, TiDB outputs `secure connection is enabled` when started; otherwise, it outputs `secure connection is NOT ENABLED`. -## Reload certificate, key, and CA - -To replace the certificate, the key or CA, first replace the corresponding files, then execute the [`ALTER INSTANCE RELOAD TLS`](/sql-statements/sql-statement-alter-instance.md) statement on the running TiDB instance to reload the certificate ([`ssl-cert`](/tidb-configuration-file.md#ssl-cert)), the key ([`ssl-key`](/tidb-configuration-file.md#ssl-key)), and the CA ([`ssl-ca`](/tidb-configuration-file.md#ssl-ca)) from the original configuration path. In this way, you do not need to restart the TiDB instance. - -The newly loaded certificate, key, and CA take effect on the connection that is established after the statement is successfully executed. The connection established before the statement execution is not affected. - ## Configure the MySQL client to use encrypted connections The client of MySQL 5.7 or later versions attempts to establish an encrypted connection by default. If the server does not support encrypted connections, it automatically returns to unencrypted connections. The client of MySQL earlier than version 5.7 uses the unencrypted connection by default. @@ -181,3 +175,13 @@ The TLS versions, key exchange protocols and encryption algorithms supported by - TLS\_AES\_128\_GCM\_SHA256 - TLS\_AES\_256\_GCM\_SHA384 - TLS\_CHACHA20\_POLY1305\_SHA256 + +## Reload certificate, key, and CA + +To replace the certificate, the key or CA, first replace the corresponding files, then execute the [`ALTER INSTANCE RELOAD TLS`](/sql-statements/sql-statement-alter-instance.md) statement on the running TiDB instance to reload the certificate ([`ssl-cert`](/tidb-configuration-file.md#ssl-cert)), the key ([`ssl-key`](/tidb-configuration-file.md#ssl-key)), and the CA ([`ssl-ca`](/tidb-configuration-file.md#ssl-ca)) from the original configuration path. In this way, you do not need to restart the TiDB instance. + +The newly loaded certificate, key, and CA take effect on the connection that is established after the statement is successfully executed. The connection established before the statement execution is not affected. + +### See also + +- [Enable TLS Between TiDB Components](/enable-tls-between-components.md)。 \ No newline at end of file diff --git a/enable-tls-between-components.md b/enable-tls-between-components.md index 9754e65a8dc40..39a135dcdae08 100644 --- a/enable-tls-between-components.md +++ b/enable-tls-between-components.md @@ -1,11 +1,11 @@ --- -title: Enable TLS Authentication and Encrypt the Stored Data -summary: Learn how to enable TLS authentication and encrypt the stored data in a TiDB cluster. +title: Enable TLS Between TiDB Components +summary: Learn how to enable TLS authentication between TiDB components. category: how-to aliases: ['/docs/dev/how-to/secure/enable-tls-between-components/'] --- -# Enable TLS Authentication and Encrypt the Stored Data +# Enable TLS Between TiDB Components This document introduces how to enable TLS authentication and encrypt the stored data in a TiDB cluster. From 46dd74397f58a7d49f6ae35b03294aa82225937e Mon Sep 17 00:00:00 2001 From: yikeke Date: Fri, 5 Jun 2020 12:48:36 +0800 Subject: [PATCH 2/8] fix two links --- enable-tls-between-components.md | 2 +- sql-statements/sql-statement-alter-instance.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/enable-tls-between-components.md b/enable-tls-between-components.md index 39a135dcdae08..1935480e43fc9 100644 --- a/enable-tls-between-components.md +++ b/enable-tls-between-components.md @@ -140,7 +140,7 @@ This section describes how to enable TLS authentication in a TiDB cluster. TLS a ## Enable TLS authentication between the MySQL client and TiDB server -Refer to [Use Encrypted Connections](/encrypted-connections-with-tls-protocols.md). +Refer to [Enable TLS Between TiDB Clients and Servers](/enable-tls-between-clients-and-servers.md). ## Encrypt stored data diff --git a/sql-statements/sql-statement-alter-instance.md b/sql-statements/sql-statement-alter-instance.md index 86d51e99e4bb1..3fe5bc0e7030d 100644 --- a/sql-statements/sql-statement-alter-instance.md +++ b/sql-statements/sql-statement-alter-instance.md @@ -35,4 +35,4 @@ The `ALTER INSTANCE RELOAD TLS` statement only supports reloading from the origi ## See also -[Enable Client TLS](/encrypted-connections-with-tls-protocols.md). +[Enable TLS Between TiDB Clients and Servers](/enable-tls-between-clients-and-servers.md). From 30888d953e0d61b4c34efa68c1f52ff8465856e0 Mon Sep 17 00:00:00 2001 From: yikeke Date: Fri, 5 Jun 2020 13:52:15 +0800 Subject: [PATCH 3/8] Update enable-tls-between-components.md --- enable-tls-between-components.md | 112 ++++++++++--------------------- 1 file changed, 36 insertions(+), 76 deletions(-) diff --git a/enable-tls-between-components.md b/enable-tls-between-components.md index 1935480e43fc9..857ec8b1b467c 100644 --- a/enable-tls-between-components.md +++ b/enable-tls-between-components.md @@ -7,24 +7,20 @@ aliases: ['/docs/dev/how-to/secure/enable-tls-between-components/'] # Enable TLS Between TiDB Components -This document introduces how to enable TLS authentication and encrypt the stored data in a TiDB cluster. +This document describes how to enable encrypted data transmission between components within a TiDB cluster. Once enabled, encrypted transmission are used between the following components: -## Enable TLS Authentication +- TiDB and TiKV; TiDB and PD +- TiKV and PD +- TiDB Control and TiDB; TiKV Control and TiKV; PD Control and PD +- Internal communication within each TiKV, PD, TiDB cluster -This section describes how to enable TLS authentication in a TiDB cluster. TLS authentication can be applied to the following scenarios: +Currently, it is not supported to only enable encrypted transmission of some specific components. -- The **mutual authentication** between TiDB components, including the authentication among TiDB, TiKV, and PD; the authentication between TiDB Control and TiDB, between TiKV Control and TiKV, between PD Control and PD; the authentication between TiKV peers, and between PD peers. Once enabled, the mutual authentication applies to all components, rather than to part of the components. -- The **one-way** and **mutual authentication** between the TiDB server and the MySQL Client. - -> **Note:** -> -> The authentication between the MySQL Client and the TiDB server uses one set of certificates, while the authentication among TiDB components uses another set of certificates. - -## Enable mutual TLS authentication among TiDB components +## Configure and enable encrypted data transmission 1. Prepare certificates. - It is recommended to prepare a server certificate for TiDB, TiKV, and PD separately. Make sure that these components can authenticate each other. The clients of TiDB, TiKV, and PD share one client certificate. + It is recommended to prepare a server certificate for TiDB, TiKV, and PD separately. Make sure that these components can authenticate each other. The Control tools of TiDB, TiKV, and PD can choose to share one client certificate. You can use tools like `openssl`, `easy-rsa` and `cfssl` to generate self-signed certificates. @@ -74,11 +70,11 @@ This section describes how to enable TLS authentication in a TiDB cluster. TLS a key-path = "/path/to/pd-server-key.pem" ``` - After certificates are configured as above, mutual authentication among TiDB components is enabled. + Now, encrypted transmission among TiDB components is enabled. > **Note:** > - > If you have enabled TLS in a TiDB cluster when you connect to the cluster using tidb-ctl, tikv-ctl, or pd-ctl, you need to specify the client certificate. For example: + > After enabling encrypted transmission in a TiDB cluster, if you need to connect to the cluster using tidb-ctl, tikv-ctl, or pd-ctl, specify the client certificate. For example: {{< copyable "shell-regular" >}} @@ -98,84 +94,48 @@ This section describes how to enable TLS authentication in a TiDB cluster. TLS a ./tikv-ctl --host="127.0.0.1:20160" --ca-path="/path/to/ca.pem" --cert-path="/path/to/client.pem" --key-path="/path/to/clinet-key.pem" ``` -3. Configure Common Name. - - The Common Name is used for caller verification. In general, the callee needs to verify the caller's identity, in addition to verifying the key, the certificates, and the CA provided by the caller. For example, TiKV can only be accessed by TiDB, and other visitors are blocked even though they have legitimate certificates. It is recommended to mark the certificate user identity using `Common Name` when generating the certificate, and to check the caller's identity by configuring the `Common Name` list for the callee. - - - TiDB - - Configure in the configuration file or command line arguments: - - ```toml - [security] - cluster-verify-cn = [ - "TiDB-Server", - "TiKV-Control", - ] - ``` - - - TiKV +### Verify component caller's identity - Configure in the configuration file or command line arguments: +The Common Name is used for caller verification. In general, the callee needs to verify the caller's identity, in addition to verifying the key, the certificates, and the CA provided by the caller. For example, TiKV can only be accessed by TiDB, and other visitors are blocked even though they have legitimate certificates. - ```toml - [security] - cert-allowed-cn = [ - "TiDB-Server", "PD-Server", "TiKV-Control", "RawKvClient1", - ] - ``` +To verify component caller's identity, you need to mark the certificate user identity using `Common Name` when generating the certificate, and to check the caller's identity by configuring the `Common Name` list for the callee. - - PD +- TiDB - Configure in the configuration file or command line arguments: + Configure in the configuration file or command line arguments: - ```toml - [security] - cert-allowed-cn = ["TiKV-Server", "TiDB-Server", "PD-Control"] - ``` - -4. Reload certificates. - - To reload the certificates and the keys, TiDB, PD, and TiKV reread the current certificates and the key files each time a new connection is created. Currently, you cannot reload the CA certificate. - -## Enable TLS authentication between the MySQL client and TiDB server - -Refer to [Enable TLS Between TiDB Clients and Servers](/enable-tls-between-clients-and-servers.md). - -## Encrypt stored data - -In a TiDB cluster, user data is stored in TiKV. Once you configure the encrypted storage feature in TiKV, the TiDB cluster encrypts this data. This section introduces how to configure the data encryption feature in TiKV. - -1. Generate the token file. + ```toml + [security] + cluster-verify-cn = [ + "TiDB-Server", + "TiKV-Control", + ] + ``` - The token file stores the keys used to encrypt the user data and to decrypt the encrypted data. +- TiKV - {{< copyable "shell-regular" >}} + Configure in the configuration file or command line arguments: - ```bash - ./tikv-ctl random-hex --len 256 > cipher-file-256 + ```toml + [security] + cert-allowed-cn = [ + "TiDB-Server", "PD-Server", "TiKV-Control", "RawKvClient1", + ] ``` - > **Note:** - > - > You can only use the hex-formatted token file. The file length must be 2 to the power of N, and is less than or equal to 1024. +- PD -2. Configure TiKV as follows. + Configure in the configuration file or command line arguments: ```toml [security] - # Storage path of the Cipher file. - cipher-file = "/path/to/cipher-file-256" + cert-allowed-cn = ["TiKV-Server", "TiDB-Server", "PD-Control"] ``` -> **Note:** -> -> When you import data into a cluster using [TiDB Lightning](/tidb-lightning/tidb-lightning-overview.md), if the storage encryption feature is enabled in the target cluster, the SST files generated by TiDB Lightning must be encrypted. +### Reload certificates -### Limitations +To reload the certificates and the keys, TiDB, PD, TiKV, and all kinds of clients reread the current certificates and the key files each time a new connection is created. Currently, you cannot reload the CA certificate. -The limitations of the storage encryption feature are as follows: +## See also -- If the feature has not been enabled in the cluster before, you cannot enable this feature. -- If the feature is enabled in the cluster, you cannot disable this feature. -- You cannot enable the feature for some TiKV instances while disabling it for other instances in one cluster. You can only enable or disable this feature for all TiKV instances. This is because if you enable the encrypted storage feature, data are encrypted during data migration. +- [Enable TLS Between TiDB Clients and Servers](/enable-tls-between-clients-and-servers.md) From fa8825abcdcadc119e929814e89652f2fb78a220 Mon Sep 17 00:00:00 2001 From: yikeke Date: Fri, 5 Jun 2020 14:00:28 +0800 Subject: [PATCH 4/8] Update enable-encrypt-stored-data.md --- enable-encrypt-stored-data.md | 36 +++++++++++++++++------------------ 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/enable-encrypt-stored-data.md b/enable-encrypt-stored-data.md index cbc8bd6b8b904..83e0dc8870de5 100644 --- a/enable-encrypt-stored-data.md +++ b/enable-encrypt-stored-data.md @@ -1,18 +1,18 @@ --- -title: 为 TiDB 开启数据加密存储 -summary: 介绍如何为 TiDB 开启数据加密存储。 +title: Enable stored data encryption +summary: Introduce how to enable encryption for stored data. category: how-to --- -# 为 TiDB 开启数据加密存储 +# Enable stored data encryption -在 TiDB 集群中,用户的数据都存储在 TiKV 中,配置了 TiKV 数据加密存储功能,就代表 TiDB 集群已经加密存储了用户的数据。本部分主要介绍如何配置 TiKV 的加密存储功能。 +In a TiDB cluster, user data is stored in TiKV. Once you configure the encrypted storage feature in TiKV, the TiDB cluster encrypts this data. This section introduces how to configure the data encryption feature in TiKV. -## 操作流程 +## Operation procedures -1. 生成 token 文件。 +1. Generate the token file. - token 文件存储的是密钥,用于对用户数据进行加密,以及对已加密的数据进行解密。 + The token file stores the keys used to encrypt the user data and to decrypt the encrypted data. {{< copyable "shell-regular" >}} @@ -20,26 +20,26 @@ category: how-to ./tikv-ctl random-hex --len 256 > cipher-file-256 ``` - > **注意:** + > **Note:** > - > TiKV 只接受 hex 格式的 token 文件,文件的长度必须是 2n,并且小于等于 1024。 + > You can only use the hex-formatted token file. The file length must be 2 to the power of N, and is less than or equal to 1024. -2. 配置 TiKV。 +2. Configure TiKV as follows. ```toml [security] - # Cipher file 的存储路径 + # Storage path of the Cipher file. cipher-file = "/path/to/cipher-file-256" ``` -> **注意:** +> **Note:** > -> 若使用 [TiDB Lightning](/tidb-lightning/tidb-lightning-overview.md) 向集群导入数据,如果目标集群开启了加密功能,Lightning 生成的 SST 文件也必须是加密的格式。 +> When you import data into a cluster using [TiDB Lightning](/tidb-lightning/tidb-lightning-overview.md), if the storage encryption feature is enabled in the target cluster, the SST files generated by TiDB Lightning must be encrypted. -## 使用限制 +### Limitations -目前 TiKV 数据加密存储存在以下限制: +The limitations of the storage encryption feature are as follows: -- 对之前没有开启加密存储的集群,不支持开启该功能。 -- 已经开启加密功能的集群,不允许关闭加密存储功能。 -- 同一集群内部,不允许部分 TiKV 实例开启该功能,部分 TiKV 实例不开启该功能。对于加密存储功能,所有 TiKV 实例要么都开启该功能,要么都不开启该功能。这是由于 TiKV 实例之间会有数据迁移,如果开启了加密存储功能,迁移过程中数据也是加密的。 +- If the feature has not been enabled in the cluster before, you cannot enable this feature. +- If the feature is enabled in the cluster, you cannot disable this feature. +- You cannot enable the feature for some TiKV instances while disabling it for other instances in one cluster. You can only enable or disable this feature for all TiKV instances. This is because if you enable the encrypted storage feature, data are encrypted during data migration. From 6a092f211af57b4687173678daed279c07c97c6e Mon Sep 17 00:00:00 2001 From: yikeke Date: Fri, 5 Jun 2020 14:02:28 +0800 Subject: [PATCH 5/8] Update TOC.md --- TOC.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/TOC.md b/TOC.md index 17acc3f5622a5..95b143b4dfc0d 100644 --- a/TOC.md +++ b/TOC.md @@ -71,7 +71,7 @@ + Transport Layer Security (TLS) - [Enable TLS for MySQL Clients and Servers](/enable-tls-between-clients-and-servers.md) - [Enable TLS Between TiDB Components](/enable-tls-between-components.md) - - [Enable encrypted data storage](/enable-encrypt-stored-data.md) + - [Encrypt Stored Data](/enable-encrypt-stored-data.md) - [Generate Self-signed Certificates](/generate-self-signed-certificates.md) - [Encryption-At-Rest](/encryption-at-rest.md) + Monitor From 27c1e1921a2d2f9fe73a51fccaf58d3c307bceb5 Mon Sep 17 00:00:00 2001 From: yikeke Date: Fri, 5 Jun 2020 14:04:17 +0800 Subject: [PATCH 6/8] Update enable-encrypt-stored-data.md --- enable-encrypt-stored-data.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/enable-encrypt-stored-data.md b/enable-encrypt-stored-data.md index 83e0dc8870de5..3c2e28d8f4786 100644 --- a/enable-encrypt-stored-data.md +++ b/enable-encrypt-stored-data.md @@ -36,7 +36,7 @@ In a TiDB cluster, user data is stored in TiKV. Once you configure the encrypted > > When you import data into a cluster using [TiDB Lightning](/tidb-lightning/tidb-lightning-overview.md), if the storage encryption feature is enabled in the target cluster, the SST files generated by TiDB Lightning must be encrypted. -### Limitations +## Limitations The limitations of the storage encryption feature are as follows: From 10f8a4167da8efc23ce2c3bf3b406dddcbbee80b Mon Sep 17 00:00:00 2001 From: yikeke Date: Fri, 5 Jun 2020 14:06:02 +0800 Subject: [PATCH 7/8] align https://github.com/pingcap/docs-cn/pull/3260/ --- enable-tls-between-components.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/enable-tls-between-components.md b/enable-tls-between-components.md index 857ec8b1b467c..d4721ff4e630a 100644 --- a/enable-tls-between-components.md +++ b/enable-tls-between-components.md @@ -24,7 +24,7 @@ Currently, it is not supported to only enable encrypted transmission of some spe You can use tools like `openssl`, `easy-rsa` and `cfssl` to generate self-signed certificates. - If you choose `cfssl`, you can refer to [generating self-signed certificates](/generate-self-signed-certificates.md). + If you choose `openssl`, you can refer to [generating self-signed certificates](/generate-self-signed-certificates.md). 2. Configure certificates. From 1982b39d78473f99f4bf6df1c5be1ad1448888c4 Mon Sep 17 00:00:00 2001 From: Lilian Lee Date: Tue, 9 Jun 2020 13:35:17 +0800 Subject: [PATCH 8/8] Apply suggestions from code review --- enable-encrypt-stored-data.md | 4 ++-- enable-tls-between-clients-and-servers.md | 4 ++-- enable-tls-between-components.md | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/enable-encrypt-stored-data.md b/enable-encrypt-stored-data.md index 3c2e28d8f4786..3bc58e35acf4d 100644 --- a/enable-encrypt-stored-data.md +++ b/enable-encrypt-stored-data.md @@ -1,10 +1,10 @@ --- -title: Enable stored data encryption +title: Enable Stored Data Encryption summary: Introduce how to enable encryption for stored data. category: how-to --- -# Enable stored data encryption +# Enable Stored Data Encryption In a TiDB cluster, user data is stored in TiKV. Once you configure the encrypted storage feature in TiKV, the TiDB cluster encrypts this data. This section introduces how to configure the data encryption feature in TiKV. diff --git a/enable-tls-between-clients-and-servers.md b/enable-tls-between-clients-and-servers.md index 258761e833bd0..af6b8231eb280 100644 --- a/enable-tls-between-clients-and-servers.md +++ b/enable-tls-between-clients-and-servers.md @@ -7,7 +7,7 @@ aliases: ['/docs/dev/how-to/secure/enable-tls-clients/','/docs/dev/encrypted-con # Enable TLS Between TiDB Clients and Servers -Non-encrypted connection between TiDB's server and client is used by default, which enables third parties that monitor channel traffic to know the data sent and received between the server and the client, including but not limited to query content, query results, etc. If a channel is untrustworthy (such as if the client is connected to the TiDB server via a public network), then a non-encrypted connection is prone to information leakage. In this case, for security reasons, it is recommended to use an encrypted connection. +Non-encrypted connection between TiDB's server and client is used by default, which enables third parties that monitor channel traffic to know the data sent and received between the server and the client, including but not limited to query content, query results, and so on. If a channel is untrustworthy (such as if the client is connected to the TiDB server via a public network), then a non-encrypted connection is prone to information leakage. In this case, for security reasons, it is recommended to use an encrypted connection. The TiDB server supports the encrypted connection based on the TLS (Transport Layer Security). The protocol is consistent with MySQL encrypted connections and is directly supported by existing MySQL clients such as MySQL operation tools and MySQL drivers. TLS is sometimes referred to as SSL (Secure Sockets Layer). Because the SSL protocol has [known security vulnerabilities](https://en.wikipedia.org/wiki/Transport_Layer_Security), TiDB does not support it. TiDB supports the following versions: TLS 1.0, TLS 1.1, and TLS 1.2, TLS 1.3. @@ -184,4 +184,4 @@ The newly loaded certificate, key, and CA take effect on the connection that is ### See also -- [Enable TLS Between TiDB Components](/enable-tls-between-components.md)。 \ No newline at end of file +- [Enable TLS Between TiDB Components](/enable-tls-between-components.md)。 diff --git a/enable-tls-between-components.md b/enable-tls-between-components.md index d4721ff4e630a..7f153eaf1c759 100644 --- a/enable-tls-between-components.md +++ b/enable-tls-between-components.md @@ -7,7 +7,7 @@ aliases: ['/docs/dev/how-to/secure/enable-tls-between-components/'] # Enable TLS Between TiDB Components -This document describes how to enable encrypted data transmission between components within a TiDB cluster. Once enabled, encrypted transmission are used between the following components: +This document describes how to enable encrypted data transmission between components within a TiDB cluster. Once enabled, encrypted transmission is used between the following components: - TiDB and TiKV; TiDB and PD - TiKV and PD