Server General KMS for MySQL
The Key Management Service For MySQL TDE Customers
How Does It Work?
Install the Server General KMS Agent (SGA) on a MySQL server 5.7 or higher.
The SGA will turn on the MySQL Transparent Data Encryption (TDE) functionality within the MySQL server.
The MySQL TDE then generates a MySQL Master Key (MMK) and a tablespace encryption key (TSK).
The MySQL TDE then encrypts data stored in an InnoDB table using the TSK.
The MySQL TDE uses the MMK to encrypt the TSK and the encrypted value is stored in the header of the encrypted table.
The SGA then encrypts the MMK using Data Administrator’s Master Key (DMK).
The encrypted value of the MMK is then moved into a Server General Locker (SGL).
When the MySQL server is restarted:
The SGA requests the SGL for the MMK when the MySQL is restarted. The SGL returns the encrypted version of the MMK to the agent.
The Data Administrator uses her DMK to decrypt the MMK.
The MySQL TDE uses the decrypted version of the MMK during the MySQL server restart.
The Data Administrator issues the “store” command which copies the MMK back to the SGL and deletes the local copy from the server.