| title | summary | category |
|---|---|---|
Enable Stored Data Encryption |
Introduce how to enable encryption for stored data. |
how-to |
In a TiDB cluster, user data is stored in TiKV. Once you configure the encrypted storage feature in TiKV, the TiDB cluster encrypts this data. This section introduces how to configure the data encryption feature in TiKV.
-
Generate the token file.
The token file stores the keys used to encrypt the user data and to decrypt the encrypted data.
{{< copyable "shell-regular" >}}
./tikv-ctl random-hex --len 256 > cipher-file-256Note:
You can only use the hex-formatted token file. The file length must be 2 to the power of N, and is less than or equal to 1024.
-
Configure TiKV as follows.
[security] # Storage path of the Cipher file. cipher-file = "/path/to/cipher-file-256"
Note:
When you import data into a cluster using TiDB Lightning, if the storage encryption feature is enabled in the target cluster, the SST files generated by TiDB Lightning must be encrypted.
The limitations of the storage encryption feature are as follows:
- If the feature has not been enabled in the cluster before, you cannot enable this feature.
- If the feature is enabled in the cluster, you cannot disable this feature.
- You cannot enable the feature for some TiKV instances while disabling it for other instances in one cluster. You can only enable or disable this feature for all TiKV instances. This is because if you enable the encrypted storage feature, data are encrypted during data migration.