Add explanation to dual-layer encryption #22210
+13
−1
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
|
|
@@ -221,6 +221,18 @@ TiDB Cloud safeguards static data with advanced encryption capabilities, ensurin | |||||
|
|
||||||
| - For TiDB Cloud Dedicated clusters without CMEK, TiDB Cloud uses escrow keys; {{{ .starter }}} and {{{ .essential }}} clusters rely exclusively on escrow keys. | ||||||
|
|
||||||
| **Dual-layer Encryption** | ||||||
|
|
||||||
| - Dual-layer encryption is where two or more independent layers of encryption are enabled to protect against compromises of any one layer of encryption. Using two layers of encryption mitigates threats that come with encrypting data. | ||||||
sunxiaoguang marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||||||
|
|
||||||
| - All persisted data is encrypted-at-rest using the tool of the cloud provider that your cluster is running in. | ||||||
|
There was a problem hiding this comment. For better clarity and adherence to the style guide's preference for active voice (line 43), consider rephrasing this sentence. Using 'encrypted at rest' instead of 'encrypted-at-rest' would also improve consistency with other parts of the document (e.g., line 230).
Suggested change
References
|
||||||
|
|
||||||
| - With dual-layer encryption enabled, data is automatically encrypted at rest using CMEK or escrow keys. | ||||||
|
There was a problem hiding this comment. This sentence could be clearer about this being the second layer of encryption, building upon the cloud provider's encryption mentioned previously. The suggested phrasing makes this relationship explicit.
Suggested change
|
||||||
|
|
||||||
| - Dual-layer encryption is disabled by default for {{{ .starter }}} clusters and enabled by default for {{{ .essential }}} clusters. | ||||||
|
|
||||||
| - Dual-layer encryption is mandatory for TiDB Cloud Dedicated clusters. | ||||||
|
|
||||||
| **Best practices:** | ||||||
|
|
||||||
| - Regularly rotate CMEK keys to enhance security and meet compliance standards. | ||||||
|
|
@@ -255,4 +267,4 @@ Records detailed database operations, including executed SQL statements and user | |||||
|
|
||||||
| - Use logs for compliance reporting and forensic analysis. | ||||||
|
|
||||||
| For more information, see [Console Audit Logging](/tidb-cloud/tidb-cloud-console-auditing.md) and [Database Audit Logging](/tidb-cloud/tidb-cloud-auditing.md). | ||||||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.