cloud: Premium supports Dual-layer Data Encryption (CMEK)

[ljun0712]

What is changed, added or deleted? (Required)

Dual-layer Data Encryption (including CMEK) is supported on Premium. This is the customer documentation.

Which TiDB version(s) do your changes apply to? (Required)

Tips for choosing the affected version(s):

By default, CHOOSE MASTER ONLY so your changes will be applied to the next TiDB major or minor releases. If your PR involves a product feature behavior change or a compatibility change, CHOOSE THE AFFECTED RELEASE BRANCH(ES) AND MASTER.

For details, see tips for choosing the affected versions.

• master (the latest development version)
• v9.0 (TiDB 9.0 versions)
• v8.5 (TiDB 8.5 versions)
• v8.1 (TiDB 8.1 versions)
• v7.5 (TiDB 7.5 versions)
• v7.1 (TiDB 7.1 versions)
• v6.5 (TiDB 6.5 versions)
• v6.1 (TiDB 6.1 versions)
• v5.4 (TiDB 5.4 versions)

What is the related PR or file link(s)?

• This PR is translated from:
• Other reference link(s):

Do your changes match any of the following descriptions?

• Delete files
• Change aliases
• Need modification after applied to another branch
• Might cause conflicts after applied to another branch

[ti-chi-bot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign lilin90 for approval. For more information see the Code Review Process.
Please ensure that each of them provides their approval before proceeding.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces extensive documentation for the new Dual-layer Data Encryption feature available on TiDB Cloud Premium. This feature significantly enhances data security by allowing users to integrate TiDB's native encryption with their cloud provider's Key Management Service, starting with AWS KMS. The documentation provides a clear understanding of the encryption mechanisms, key management options (customer-managed vs. service-managed keys), and detailed configuration steps for both new and existing TiDB instances, ensuring users can effectively implement and manage this advanced security capability.

Highlights

• New Feature Documentation: Introduced comprehensive documentation for Dual-layer Data Encryption on TiDB Cloud Premium, enhancing data security.
• Encryption Mechanism Explained: Detailed the two layers of data-at-rest encryption: Dual-layer Data Encryption (customer-managed) and Storage-layer Data Encryption (default cloud provider encryption).
• Key Management Options: Provided guidance on configuring Customer-Managed Encryption Keys (CMEK) using AWS KMS and Service-Managed Encryption Keys.
• Configuration Steps: Outlined step-by-step instructions for enabling Dual-layer Data Encryption during new TiDB instance creation and for existing unencrypted instances.
• Backup and Restore Considerations: Explained how Dual-layer Data Encryption impacts backup data and the necessary steps for restoring encrypted backups.
• CMEK Management: Included instructions for CMEK rotation and authorization management, including how to temporarily revoke and restore TiDB Cloud's access.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This PR adds documentation for the Dual-layer Data Encryption feature on Premium TiDB. The document is comprehensive and covers the feature well. I've provided several suggestions to improve clarity, conciseness, and adherence to the documentation style guide. The suggestions mainly focus on using the second person ("you"), applying active voice, ensuring consistent terminology, and formatting UI elements correctly. Please review the suggested changes.

[gemini-code-assist]

This sentence is misleading, as you can enable Dual-layer Data Encryption on an existing instance, which is described in a later section. It should be removed or rephrased to avoid confusion.

Suggested change

	Dual-layer Data Encryption should only be enabled when creating Premium TiDB. To do this, follow these steps:
	To configure CMEK when creating a Premium TiDB instance, follow these steps:

References

1. Ensure documentation is clear and technically accurate. ^(link)

[gemini-code-assist]

This introductory paragraph can be rephrased for better clarity and conciseness.

Suggested change

	Premium enables data encryption at rest by default on TiDB service instance storage and snapshot volumes. This provides basic encryption capabilities to enhance data security. Building on this, Premium allows you to combine TiDB service's storage engine encryption with your cloud provider's KMS, adding another layer of data encryption (Dual-layer Data Encryption).
	By default, Premium encrypts data at rest for TiDB instance storage and snapshot volumes. This provides a baseline of data security. To further enhance security, you can enable Dual-layer Data Encryption, which combines the TiDB service's storage engine encryption with your cloud provider's Key Management Service (KMS).

References

1. The documentation should be clear and simple for users to understand. ^(link)

[gemini-code-assist]

This list of restrictions can be improved for clarity, conciseness, and adherence to the style guide (e.g., using active voice and addressing the user directly). Consider rephrasing as follows:

Suggested change

	- Currently, Premium's Dual-layer Data Encryption only supports providing key services using AWS KMS.
	- Premium's Dual-layer Data Encryption covers data from TiKV, CDC, and BR components. Encryption of TiFlash data will be supported soon.
	- When Dual-layer Data Encryption is enabled on Premium TiDB, encryption properties will not be allowed to be modified.
	- Only KMS master key rotation is supported; rotation of other keys is not supported.
	- User-configured encryption algorithms are not supported.
	- The AWS region for CMEK needs to be consistent with the TiDB instance.
	- When CMEK encryption is enabled in Premium, backup data for TiDB instances does not support cross-region recovery operations.
	- Currently, Premium Dual-layer Data Encryption only supports AWS KMS.
	- Premium Dual-layer Data Encryption covers data from TiKV, CDC, and BR components. Encryption for TiFlash data will be supported soon.
	- After you enable Dual-layer Data Encryption on a Premium TiDB instance, you cannot modify its encryption properties.
	- Only automatic rotation of the KMS master key is supported. You cannot rotate other keys.
	- You cannot use custom encryption algorithms.
	- The AWS region for your CMEK must be the same as your TiDB instance's region.
	- When you enable CMEK encryption in Premium, you cannot perform cross-region recovery operations for TiDB instance backup data.

References

1. Write in second person ("you") when addressing users and prefer active voice. ^(link)

[gemini-code-assist]

The UI instructions can be made clearer by bolding UI elements and improving the wording. This makes the steps easier to follow. The same formatting should be applied to other step-by-step instructions in this document (lines 104-108, 122-128, 134-136).

Suggested change

	1. On the My TiDB page, click "Create Resource".
	2. In the Plan, select Premium and complete the basic configuration.
	3. In Dual-Layer Data Encryption, click "Enable".
	4. Then select Customer-Managed Encryption Key (CMEK) and click "Add KMS Key ARN" to enter the key configuration page.
	5. Copy and save the JSON file as ROLE-TRUST-POLICY.JSON. This file describes the trust relationship.
	6. On your AWS KMS service, you need to add this trust relationship to the key policy. For more information, refer to [Key policies in AWS KMS](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html).
	7. In the TiDB Cloud console, scroll to the bottom of the key creation page, and then fill in the KMS Key ARN obtained from AWS KMS.
	8. Click “Test and Add KMS Key ARN” to check the key trust relationship. After the key trust relationship is configured correctly, you can return to the Premium creation process.
	9. Click “Create” to create Premium TiDB.
	1. On the **My TiDB** page, click **Create Resource**.
	2. In **Plan**, select **Premium** and complete the basic configuration.
	3. In **Dual-Layer Data Encryption**, click **Enable**.
	4. Select **Customer-Managed Encryption Key (CMEK)** and click **Add KMS Key ARN** to go to the key configuration page.
	5. Copy and save the JSON content as a file named `ROLE-TRUST-POLICY.JSON`. This file describes the trust relationship.
	6. In your AWS KMS service, add this trust relationship to the key policy. For more information, see [Key policies in AWS KMS](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html).
	7. In the TiDB Cloud console, scroll to the bottom of the key creation page, and then enter the KMS Key ARN that you get from AWS KMS.
	8. Click **Test and Add KMS Key ARN** to check the key trust relationship. If the check passes, you can return to the Premium creation page.
	9. Click **Create** to create the Premium TiDB instance.

References

1. Use ordered lists for steps and backticks for code snippets, command names, options, and paths. While not explicitly stated for UI elements, bolding them improves readability. ^(link)

[gemini-code-assist]

These steps for the restore process can be rephrased for better clarity and to make them easier to follow.

Suggested change

	1. In Dual-layer Data Encryption, the key ARN remains unchanged. Click "Check" here to proceed with the KMS master key trust policy check process.
	2. In the KMS master key trust check process, check whether the TiDB Cloud account granted in the key policy has changed (compare it with the TiDB Cloud account associated with the original backup TiDB instance).
	3. If the TiDB Cloud account in the key policy is the same as the TiDB Cloud account associated with the original backup TiDB instance, then it is not necessary to re-authorize the KMS master key.
	4. If the TiDB Cloud account in the key policy is different from the TiDB Cloud account associated with the original backup TiDB instance, then you need to copy the key policy here and then authorize the key in AWS KMS. This ensures that the new Premium TiDB can correctly access the KMS master key.
	1. In the **Dual-layer Data Encryption** section, the key ARN remains unchanged. Click **Check** to start the KMS master key trust policy check process.
	2. In the KMS master key trust check process, check whether the TiDB Cloud account granted in the key policy has changed by comparing it with the TiDB Cloud account associated with the original backup's TiDB instance.
	3. If the TiDB Cloud account in the key policy is the same as the one associated with the original backup's TiDB instance, you do not need to re-authorize the KMS master key.
	4. If the TiDB Cloud account in the key policy is different from the one associated with the original backup's TiDB instance, you need to copy the key policy and authorize the key in AWS KMS. This ensures that the new Premium TiDB instance can correctly access the KMS master key.

References

1. Ensure step instructions are clear and easy to understand. ^(link)

[gemini-code-assist]

This section about authorization management can be improved for clarity and correctness. For example, "On the AWS KMS console" should be "In the AWS KMS console", and "restore the Premium TiDB instance" should be "resume the Premium TiDB instance" to be consistent with "pause".

Suggested change

	If you need to temporarily revoke TiDB Cloud's access to CMEK, follow these steps:
	1. On the AWS KMS console, revoke the corresponding permissions and update the KMS Key policy.
	2. On the TiDB Cloud console, pause all Premium TiDB instances that use this KMS master key.
	> **Note:**
	>
	> - Revoking CMEK on AWS KMS will not affect running TiDB instances.
	> - When pausing and then resuming a TiDB instance, the TiDB service will not be able to resume normally because CMEK is inaccessible.
	After revoking TiDB Cloud's access to CMEK, if you need to restore the access, follow these steps:
	1. On the AWS KMS console, restore the CMEK access policy.
	2. In the TiDB Cloud console, restore the Premium TiDB instance that uses this KMS master key.
	If you need to temporarily revoke TiDB Cloud's access to CMEK, follow these steps:
	1. In the AWS KMS console, revoke the corresponding permissions and update the KMS Key policy.
	2. In the TiDB Cloud console, pause all Premium TiDB instances that use this KMS master key.
	> **Note:**
	>
	> - Revoking CMEK in AWS KMS does not affect running TiDB instances.
	> - If you pause and then resume a TiDB instance, the TiDB service cannot resume normally because the CMEK is inaccessible.
	After revoking TiDB Cloud's access to CMEK, if you need to restore the access, follow these steps:
	1. In the AWS KMS console, restore the CMEK access policy.
	2. In the TiDB Cloud console, resume the Premium TiDB instance that uses this KMS master key.

References

1. Use consistent and accurate terminology for technical procedures. ^(link)

[ti-chi-bot]

@ljun0712: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
pull-verify	b82306f	link	true	/test pull-verify

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.