Server General KMS for MySQL
The Key Management Service For MySQL TDE Customers
The security of any cryptography-enabled system ultimately depends on the security of the cryptographic material used. Key generation, storage, and/or distribution are always critical aspects of any distributed secure system. Although many different and sometimes competing ways of managing keys exist, it is ultimately the available resources and threat environment that dictate the choices. Server General KMS for MySQL is a key management service for organizations that make use of encryption functionality embedded inside their MySQL servers.
The Server General KMS for MySQL consists of two components - the Server General KMS Agent (SGA) and the Server General Locker (SGL). The SGL is a secure appliance used to store keys. A single SGL can store unlimited number of encryption keys used by a group of MySQL servers. Customers can also use our global key management infrastructure to store their keys in a secure manner.
Server General KMS for MySQL uses three-tier encryption key architecture consisting of a master MySQL Key (MMK), a tablespace key (TSK) and a Data Admin Master Key (DMK). Server General KMS for MySQL has been designed to protect the encryption keys against internal as well as external threats and no key is ever stored on the disk in plain text.
Securing The Master MySQL Key
Server General KMS for MySQL system constitutes of two separate components - the Server General Agent (SGA) and the Server General Locker (SGL). We will assume that the user is going to use our cloud locker for now. We do provide an on-premises key locker appliance as well.
The user installs the SGA on their MySQL server. During configuration at least two Server General administrators are configured - the Security Officer (SO) and the Data Administrator (DA). The DA acts as the custodian of the MMK and encrypts it with her own key - the DMK. The encrypted value of the MMK is moved into the SGL while our security staff manages it for you on a 24x7x365 basis.
The Server General encryption engine supports various standard encryption algorithms, however, AES-256 in CBC mode is the default encryption algorithm used to encrypt the MMK.