support cmek for alibaba cloud#22947
Open
wildpcww wants to merge 10 commits into
Open
Conversation
- Add manual backup feature with key characteristics and creation steps
- Update PITR window to 7 days for premium instances
- Fix Premium naming consistency using {{{ .premium }}} variable
- Remove manual backup limitation note since it's now supported
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
Co-authored-by: Aolin <aolinz@outlook.com>
Add documentation for CMEK (Customer-Managed Encryption Key) and Service-Managed Encryption Key features on TiDB Cloud Premium. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
ti-chi-bot
Bot
added
contribution
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
@wildpcww: The following test failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Code Review
This pull request introduces a new documentation file detailing Dual-layer Data Encryption for TiDB Cloud Premium. The feedback focuses on aligning the document with the repository style guide, specifically correcting heading capitalization to sentence case, formatting step-by-step instructions as ordered lists, ensuring consistent bolding of UI elements, and fixing minor grammatical and punctuation issues.
| 8. Click **Test and Add KMS Key ARN** to verify the key access configuration. | ||
| 9. Once the verification passes, click **Create** to finish creating your {{{ .premium }}} instance. | ||
|
|
||
| #### Option 2: Service-Managed Encryption Key |
Contributor
There was a problem hiding this comment.
Use sentence case for headings as per the repository style guide.
Suggested change
| #### Option 2: Service-Managed Encryption Key | |
| #### Option 2: Service-managed encryption key |
References
- Use sentence case for headings (e.g.,
## Configure the cluster). (link)
Comment on lines
+118
to
+123
| #### Option 2: Service-Managed Encryption Key | ||
|
|
||
| To let TiDB Cloud automatically manage the encryption key for you, follow these steps: | ||
| 1. On the Security page of your {{{ .premium }}} instance, click **Enable** in the Dual-layer Data Encryption section. | ||
| 2. Select **Service-Managed Encryption Key**. | ||
| 3. Click **Enable**. |
Contributor
There was a problem hiding this comment.
Improve formatting and heading style:
- Use sentence case for the heading.
- Bold "Security" page and "Dual-Layer Data Encryption" section consistently.
- Add a blank line before the list to adhere to the style guide.
Suggested change
| #### Option 2: Service-Managed Encryption Key | |
| To let TiDB Cloud automatically manage the encryption key for you, follow these steps: | |
| 1. On the Security page of your {{{ .premium }}} instance, click **Enable** in the Dual-layer Data Encryption section. | |
| 2. Select **Service-Managed Encryption Key**. | |
| 3. Click **Enable**. | |
| #### Option 2: Service-managed encryption key | |
| To let TiDB Cloud automatically manage the encryption key for you, follow these steps: | |
| 1. On the **Security** page of your {{{ .premium }}} instance, click **Enable** in the **Dual-Layer Data Encryption** section. | |
| 2. Select **Service-Managed Encryption Key**. | |
| 3. Click **Enable**. |
| - **Maintain key availability**: Even if you delete the original Premium TiDB instance, the associated KMS master key must remain active to successfully recover the backup data. | ||
| - **Ensure correct authorization**: During a restore operation, you must configure the exact same KMS master key associated with the backup and ensure it has the proper permissions for data access. | ||
|
|
||
| ### Key Management Mechanism |
Contributor
There was a problem hiding this comment.
Use sentence case for headings as per the repository style guide.
Suggested change
| ### Key Management Mechanism | |
| ### Key management mechanism |
References
- Use sentence case for headings (e.g.,
## Configure the cluster). (link)
Comment on lines
+36
to
+46
| Premium's Dual-layer Data Encryption uses your cloud provider KMS to manage master keys for data-at-rest encryption. Depending on your compliance and maintenance requirements, you can choose between two key management options: | ||
|
|
||
| 1. **Customer-Managed Encryption Key (CMEK)**: You provide and manage your own cloud provider KMS master key. This option offers maximum control over your encryption, making it ideal for organizations prioritizing strict security. | ||
| - **Important:** You are fully responsible for maintaining the key's security and availability. If the configured CMEK is deleted, your Premium TiDB instance will malfunction, and the encrypted data will become permanently unrecoverable. | ||
|
|
||
| 2. **Service-Managed Encryption Key**:TiDB Cloud Premium automatically provisions and maintains the KMS master key for you, offering a balance of security and convenience with zero maintenance overhead. | ||
| - Key Characteristics: | ||
| - It is a symmetric encryption key. | ||
| - It is automatically generated when you create your first encrypted Premium TiDB instance in a specific region. | ||
| - TiDB Cloud creates one key per organization per region, which is shared across all your Premium instances within that region. | ||
| - The key is automatically removed only after all data encrypted by it within your organization has been completely deleted |
Contributor
There was a problem hiding this comment.
Improve formatting and grammar:
- Replace full-width colons (
:) with half-width colons (:). - Indent sub-lists properly under ordered list items.
- Use possessive "cloud provider's".
- Add a missing period at the end of the last list item.
Suggested change
| Premium's Dual-layer Data Encryption uses your cloud provider KMS to manage master keys for data-at-rest encryption. Depending on your compliance and maintenance requirements, you can choose between two key management options: | |
| 1. **Customer-Managed Encryption Key (CMEK)**: You provide and manage your own cloud provider KMS master key. This option offers maximum control over your encryption, making it ideal for organizations prioritizing strict security. | |
| - **Important:** You are fully responsible for maintaining the key's security and availability. If the configured CMEK is deleted, your Premium TiDB instance will malfunction, and the encrypted data will become permanently unrecoverable. | |
| 2. **Service-Managed Encryption Key**:TiDB Cloud Premium automatically provisions and maintains the KMS master key for you, offering a balance of security and convenience with zero maintenance overhead. | |
| - Key Characteristics: | |
| - It is a symmetric encryption key. | |
| - It is automatically generated when you create your first encrypted Premium TiDB instance in a specific region. | |
| - TiDB Cloud creates one key per organization per region, which is shared across all your Premium instances within that region. | |
| - The key is automatically removed only after all data encrypted by it within your organization has been completely deleted | |
| Premium's Dual-layer Data Encryption uses your cloud provider's KMS to manage master keys for data-at-rest encryption. Depending on your compliance and maintenance requirements, you can choose between two key management options: | |
| 1. **Customer-Managed Encryption Key (CMEK)**: You provide and manage your own cloud provider's KMS master key. This option offers maximum control over your encryption, making it ideal for organizations prioritizing strict security. | |
| - **Important:** You are fully responsible for maintaining the key's security and availability. If the configured CMEK is deleted, your Premium TiDB instance will malfunction, and the encrypted data will become permanently unrecoverable. | |
| 2. **Service-Managed Encryption Key**: TiDB Cloud Premium automatically provisions and maintains the KMS master key for you, offering a balance of security and convenience with zero maintenance overhead. | |
| - Key characteristics: | |
| - It is a symmetric encryption key. | |
| - It is automatically generated when you create your first encrypted Premium TiDB instance in a specific region. | |
| - TiDB Cloud creates one key per organization per region, which is shared across all your Premium instances within that region. | |
| - The key is automatically removed only after all data encrypted by it within your organization has been completely deleted. |
References
- Add a blank line before and after headings and lists. (link)
| - Custom encryption algorithms are not supported. Additionally, you can only rotate the KMS master key; rotation of other keys is not supported. | ||
| - Your cloud provider KMS key must reside in the same region as your TiDB instance. Consequently, cross-region restore operations are not supported for CMEK-encrypted backups. | ||
|
|
||
| ## Enable and Manage Encryption |
Contributor
There was a problem hiding this comment.
Use sentence case for headings as per the repository style guide.
Suggested change
| ## Enable and Manage Encryption | |
| ## Enable and manage encryption |
References
- Use sentence case for headings (e.g.,
## Configure the cluster). (link)
| 4. Select **Service-Managed Encryption Key**. | ||
| 5. Click **Create** to finish creating your {{{ .premium }}} instance. | ||
|
|
||
| ### Enable Encryption for an existing instance |
Contributor
There was a problem hiding this comment.
Use sentence case for headings as per the repository style guide.
Suggested change
| ### Enable Encryption for an existing instance | |
| ### Enable encryption for an existing instance |
References
- Use sentence case for headings (e.g.,
## Configure the cluster). (link)
Comment on lines
+125
to
+129
| ### View encryption status | ||
|
|
||
| Once encryption is enabled, you can verify its status and configuration details in the following two places: | ||
| - Check the **Encryption** property on the **Overview** page of the instance to see the active key management method (either **Enabled with Customer-Managed Encryption Key (CMEK)** or **Enabled with Service-Managed Encryption Key**). | ||
| - Navigate to the Security page to view the detailed configuration properties of your Dual-layer Data Encryption. |
Contributor
There was a problem hiding this comment.
Improve formatting:
- Bold "Security" page.
- Add a blank line before the list to adhere to the style guide.
Suggested change
| ### View encryption status | |
| Once encryption is enabled, you can verify its status and configuration details in the following two places: | |
| - Check the **Encryption** property on the **Overview** page of the instance to see the active key management method (either **Enabled with Customer-Managed Encryption Key (CMEK)** or **Enabled with Service-Managed Encryption Key**). | |
| - Navigate to the Security page to view the detailed configuration properties of your Dual-layer Data Encryption. | |
| ### View encryption status | |
| Once encryption is enabled, you can verify its status and configuration details in the following two places: | |
| - Check the **Encryption** property on the **Overview** page of the instance to see the active key management method (either **Enabled with Customer-Managed Encryption Key (CMEK)** or **Enabled with Service-Managed Encryption Key**). | |
| - Navigate to the **Security** page to view the detailed configuration properties of your Dual-layer Data Encryption. |
References
- Add a blank line before and after headings and lists. (link)
Comment on lines
+135
to
+142
| #### Customer-Managed Encryption Key (CMEK) | ||
|
|
||
| If the backup is encrypted using a CMEK, you must verify that the new instance can correctly access the KMS master key during the restore process: | ||
|
|
||
| 1. The key ARN will remain unchanged. Click **Check** to proceed with the key access verification. | ||
| 2. The system will check if the authorized TiDB Cloud account in the key policy matches the one associated with the original backup. | ||
| 3. If the TiDB Cloud account in the key policy is the same as the TiDB Cloud account associated with the original backup TiDB instance, no further authorization is required | ||
| 4. If the TiDB Cloud account in the key policy is different from the TiDB Cloud account associated with the original backup TiDB instance, you must copy the provided key policy and update it in your cloud provider KMS. This re-authorizes the key and ensures the new instance can access it. |
Contributor
There was a problem hiding this comment.
Improve formatting and heading style:
- Use sentence case for the heading.
- Add a missing period at the end of step 3.
- Use possessive "cloud provider's".
Suggested change
| #### Customer-Managed Encryption Key (CMEK) | |
| If the backup is encrypted using a CMEK, you must verify that the new instance can correctly access the KMS master key during the restore process: | |
| 1. The key ARN will remain unchanged. Click **Check** to proceed with the key access verification. | |
| 2. The system will check if the authorized TiDB Cloud account in the key policy matches the one associated with the original backup. | |
| 3. If the TiDB Cloud account in the key policy is the same as the TiDB Cloud account associated with the original backup TiDB instance, no further authorization is required | |
| 4. If the TiDB Cloud account in the key policy is different from the TiDB Cloud account associated with the original backup TiDB instance, you must copy the provided key policy and update it in your cloud provider KMS. This re-authorizes the key and ensures the new instance can access it. | |
| #### Customer-managed encryption key (CMEK) | |
| If the backup is encrypted using a CMEK, you must verify that the new instance can correctly access the KMS master key during the restore process: | |
| 1. The key ARN will remain unchanged. Click **Check** to proceed with the key access verification. | |
| 2. The system will check if the authorized TiDB Cloud account in the key policy matches the one associated with the original backup. | |
| 3. If the TiDB Cloud account in the key policy is the same as the TiDB Cloud account associated with the original backup TiDB instance, no further authorization is required. | |
| 4. If the TiDB Cloud account in the key policy is different from the TiDB Cloud account associated with the original backup TiDB instance, you must copy the provided key policy and update it in your cloud provider's KMS. This re-authorizes the key and ensures the new instance can access it. |
References
- Use sentence case for headings (e.g.,
## Configure the cluster). (link)
| 3. If the TiDB Cloud account in the key policy is the same as the TiDB Cloud account associated with the original backup TiDB instance, no further authorization is required | ||
| 4. If the TiDB Cloud account in the key policy is different from the TiDB Cloud account associated with the original backup TiDB instance, you must copy the provided key policy and update it in your cloud provider KMS. This re-authorizes the key and ensures the new instance can access it. | ||
|
|
||
| #### Service-Managed Encryption Key |
Contributor
There was a problem hiding this comment.
Use sentence case for headings as per the repository style guide.
Suggested change
| #### Service-Managed Encryption Key | |
| #### Service-managed encryption key |
References
- Use sentence case for headings (e.g.,
## Configure the cluster). (link)
Comment on lines
+100
to
+102
| > **Note:** | ||
| > | ||
| > Enable Encryption on an existing instance requires some time to complete the activation process. |
Contributor
There was a problem hiding this comment.
Use the gerund form "Enabling encryption" and lowercase "encryption" for better readability.
Suggested change
| > **Note:** | |
| > | |
| > Enable Encryption on an existing instance requires some time to complete the activation process. | |
| > **Note:** | |
| > | |
| > Enabling encryption on an existing instance requires some time to complete the activation process. |
hfxsd
added
translation/no-need
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
First-time contributors' checklist
What is changed, added or deleted? (Required)
Which TiDB version(s) do your changes apply to? (Required)
Tips for choosing the affected version(s):
By default, CHOOSE MASTER ONLY so your changes will be applied to the next TiDB major or minor releases. If your PR involves a product feature behavior change or a compatibility change, CHOOSE THE AFFECTED RELEASE BRANCH(ES) AND MASTER.
For details, see tips for choosing the affected versions.
What is the related PR or file link(s)?
Do your changes match any of the following descriptions?