数据库基本信息
数据库版本:v6.5.3
数据库架构:

共设置tiflash副本表两张,正常表两张,每张表30w row
一、TiKV静态加密操作步骤(TiFlash相同)
1.1 TiKV服务器配置主密钥文件
每个TiKV服务器上配置一个主密钥文件,该文件须包含一个 256 位(32 字节)的十六进制字符串,并以换行符结尾(即
\n),且不包含其他任何内容。密钥文件示例如下:
3b5896b5be691006e0f71c3040a29495ddcad20b14aff61806940ebd780d3c62
tiup cluster exec tidb-test --command "mkdir -p /home/tidb/tidb-cluster/path/to/key/ && echo "3b5896b5be691006e0f71c3040a29495ddcad20b14aff61806940ebd780d3c62" > /home/tidb/tidb-cluster/path/to/key/key_file" -R tikv,tiflash
1.2 修改TiKV配置文件参数
server_configs:
tidb: {}
tikv:
security.encryption:
data-encryption-method: aes128-ctr
master-key:
path: /home/tidb/tidb-cluster/path/to/key/key_file
type: file
# data-encryption-method 加密方式
# path 主密钥文件的路径
# type 主密钥文件格式、
1.3 重启集群
tiup cluster reload tidb-test
1.4 验证加密是否生效
- TiKV-Details -> Encryption

- TiFlash-Proxy-Details -> Encryption

- Encryption initialized:如果在 TiKV 启动期间初始化了加密,则为
1,否则为0。进行主密钥轮换时可通过该监控项确认主密钥轮换是否已完成。 - Encryption data keys:现有数据密钥的数量。每次轮换数据密钥后,该数字都会增加
1。通过此监控指标可以监测数据密钥是否按预期轮换。 - Encrypted files:当前的加密数据文件数量。为先前未加密的集群启用加密时,将此数量与数据目录中的当前数据文件进行比较,可通过此监控指标估计已经被加密的数据量。
- Encryption meta file size:加密元数据文件的大小。
- Read/Write encryption meta duration:对用于加密的元数据进行操作带来的额外开销。
二、TiKV/TiFlash静态加密常规操作测试
2.1 Dashboard功能一切正常
通过观察Dashboard的集群信息、TOP SQL、 SQL语句分析、慢查询、流量可视化、集群诊断等功能皆属于正常现象。
2.2 插入数据测试
使用sysbench创建两张30万行的表,创建正常

2.3 Dumpling导出数据测试
使用Dumpling工具进行数据导出测试,导出命令如下:
/home/tidb/tidb-community-toolkit-v6.5.3-linux-amd64/dumpling \
-u root -P 4000 -h 192.168.146.132 -r 200000 -F256MiB \
-o /home/tidb/test-date/data_tikv_tiflash -B sbtest,test
导出功能正常,SQL文件数据显示正常

2.4 Lightning导入数据测试(导入加密数据库)
使用Lightning导入至数据库内测试,配置文件如下:
#lightning.toml
[lightning]
check-requirements = false
index-concurrency = 2
table-concurrency = 6
io-concurrency = 5
[checkpoint]
enable = true
schema = "tidb_lightning_checkpoint"
driver = "file"
dsn = "/home/tidb/tidb_lightning_checkpoint.pb"
keep-after-success = false
[tikv-importer]
backend = "local"
sorted-kv-dir = "/home/tidb/"
[mydumper]
read-block-size = "64KiB"
batch-import-ratio = 0.75
data-source-dir = "/home/tidb/test-date/data_tikv_tiflash"
character-set = "auto"
strict-format = false
filter = ['*.*', '!mysql.*', '!sys.*', '!INFORMATION_SCHEMA.*', '!PERFORMANCE_SCHEMA.*', '!METRICS_SCHEMA.*', '!INSPECTION_SCHEMA.*']
[tidb]
host = "192.168.146.130"
port = 4000
user = "root"
password = ""
status-port = 10080
pd-addr = "192.168.146.131:2379"
log-level = "error"
build-stats-concurrency = 20
distsql-scan-concurrency = 15
index-serial-scan-concurrency = 20
checksum-table-concurrency = 2
[cron]
switch-mode = "1m"
log-progress = "1m"
#执行命令
/home/tidb/tidb-community-toolkit-v6.5.3-linux-amd64/tidb-lightning -config /home/tidb/lightning.toml
测试Lightning导入正常,数据显示正常


2.5 Lightning导入数据测试(导入非加密数据库)
使用Lightning把主加密数据库的数据导入到非加密数据库(配置与五相同,改一下IP端口路径)
数据导入正常,显示正常

2.7 加密数据库与非加密数据库数据比对测试
使用工具sync-diff,配置文件如下:
#sync-diff.toml
# Diff Configuration.
check-thread-count = 2
export-fix-sql = true
check-struct-only = false
[data-sources]
[data-sources.mysql1]
host = "192.168.146.132"
port = 4000
user = "root"
password = ""
[data-sources.tidb0]
host = "192.168.146.131"
port = 4091
user = "root"
password = ""
[task]
output-dir = "/home/tidb/output"
source-instances = ["mysql1"]
target-instance = "tidb0"
target-check-tables = ["sbtest.*", "test.*"]
#执行命令
/home/tidb/tidb-community-toolkit-v6.5.3-linux-amd64/sync_diff_inspector --config=/home/tidb/sync-diff.toml
数据比对工具正常运行,数据比对结果正常


2.7 BR备份恢复测试
(1)给tikv创建备份目录
tiup cluster exec tidb-test --command "mkdir -p /home/tidb/backup/" -R tikv
(2)使用br命令进行备份
tiup br backup full \
--pd "192.168.146.130:2379" \
--storage "local:///home/tidb/backup/"
数据全量备份成功

(3)使用br命令进行恢复
tiup br restore full \
--pd "192.168.146.130:2379" \
--storage "local:///home/tidb/backup/"

2.8 TiDB Binlog增量同步测试
(1)扩容pump
pump_servers:
- host: 192.168.146.131
ssh_port: 22
port: 8250
tiup cluster scale-ou tidb-test ./pump.yaml --user tidb -p
(2)开启binlog
#修改配置文件,tiup cluster edit-config tidb-test
server_configs:
tidb:
binlog.enable: true
binlog.ignore-error: true
(3)扩容Drainer
drainer_servers:
- host: 192.168.146.130
commit_ts: -1
config:
syncer.db-type: "tidb"
syncer.to.host: "192.168.146.131"
syncer.to.user: "root"
syncer.to.password: ""
syncer.to.port: 4091
tiup cluster scale-ou tidb-test ./drainer.yaml --user tidb -p
(4)创建两张表,其中一张表设置tiflash副本,测试最终数据是否正常同步
tikv:
CREATE TABLE students (
student_id INT PRIMARY KEY,
first_name VARCHAR(50),
last_name VARCHAR(50),
age INT
);
INSERT INTO students (student_id, first_name, last_name, age)
VALUES (1, 'John', 'Doe', 20);
UPDATE students
SET age = age + 1
WHERE student_id = 1;
INSERT INTO students (student_id, first_name, last_name, age)
VALUES (2, 'Jane', 'Smith', 22);
DELETE FROM students
WHERE student_id = 1;
UPDATE students
SET last_name = 'Johnson'
WHERE student_id = 2;
tiflash:
CREATE TABLE employees (
employee_id INT PRIMARY KEY,
first_name VARCHAR(50),
last_name VARCHAR(50),
department VARCHAR(50),
salary DECIMAL(10, 2)
);
ALTER table employees SET TIFLASH REPLICA 2;
INSERT INTO employees (employee_id, first_name, last_name, department, salary)
VALUES (101, 'Alice', 'Johnson', 'HR', 45000.00);
UPDATE employees
SET salary = 48000.00
WHERE employee_id = 101;
INSERT INTO employees (employee_id, first_name, last_name, department, salary)
VALUES (102, 'Bob', 'Smith', 'IT', 55000.00);
DELETE FROM employees
WHERE employee_id = 101;
UPDATE employees
SET department = 'Finance'
WHERE employee_id = 102;
tikv 主从集群结果:


tiflash 主从集群结果:


2.9 TiCDC增量同步测试
(1)扩容TiCDC
cdc_servers:
- host: 192.168.146.130
gc-ttl: 86400
data_dir: "/home/tidb/cdc-data"
# tiup cluster scale-out tidb-test ./cdc.yaml --user tidb -p
(2)创建同步任务
cdc cli changefeed create \
--server=http://192.168.146.130:8300 \
--sink-uri="mysql://root:@192.168.146.131:4091/" \
--changefeed-id="simple-replication-task"
(3)测试集群增量同步是否正常
测试数据与binlog测试方式一样,测试结果正常。
2.10 TiKV Control命令测试
创建一个指定TiKV数据目录与主密钥的toml文件
[storage]
data-dir = "/home/tidb/tidb-cluster/data1/tidb-data/tikv-20160"
[security.encryption.master-key]
type = "file"
path = "/home/tidb/tidb-cluster/path/to/key/key_file"
使用ctl命令进行查看

2.11 轮换主密钥
(1)修改配置文件,添加要轮换的新密钥
将新密钥放入到参数:master-key下面,将老密钥放入到previous-master-key下面
server_configs:
tidb: {}
tikv:
security.encryption:
data-encryption-method: aes128-ctr
previous-master-key:
path: /home/tidb/tidb-cluster/path/to/key/key_file
type: file
master-key:
path: /home/tidb/tidb-cluster/path/to/key/key_file_new
type: file
pd:
replication.location-labels:
- dc
security.encryption:
data-encryption-method: aes128-ctr
previous-master-key:
path: /home/tidb/tidb-cluster/path/to/key/key_file
type: file
master-key:
path: /home/tidb/tidb-cluster/path/to/key/key_file_new
type: file
tidb_dashboard: {}
tiflash: {}
tiflash-learner:
security.encryption:
data-encryption-method: aes128-ctr
previous-master-key:
path: /home/tidb/tidb-cluster/path/to/key/key_file
type: file
master-key:
path: /home/tidb/tidb-cluster/path/to/key/key_file_new
type: file
(2)启动sysbench进行压测

(3)reload集群,轮换主密钥
tiup cluster reload tidb-test -R tikv,tiflash,pd
Show config观察密钥已经替换成功

观察sysbench压测发现,因其支持滚动升级,sysbench影响不大

三、PD静态加密操作步骤(实验特性,不建议用)
(1)配置主密钥,可以跟TiKV共用一个
(2)修改PD配置文件信息,并reload
pd:
replication.location-labels:
- dc
security.encryption:
data-encryption-method: aes128-ctr
master-key:
path: /home/tidb/tidb-cluster/path/to/key/key_file_new
type: file
tiup cluster reload tidb-test -R pd
(3)show config观察PD配置是否修改成功
show config where name like "%data-encryption-method%" and type = "pd";
+------+----------------------+--------------------------------------------+------------+
| Type | Instance | Name | Value |
+------+----------------------+--------------------------------------------+------------+
| pd | 192.168.146.130:2379 | security.encryption.data-encryption-method | aes128-ctr |
| pd | 192.168.146.131:2379 | security.encryption.data-encryption-method | aes128-ctr |
| pd | 192.168.146.132:2379 | security.encryption.data-encryption-method | aes128-ctr |
+------+----------------------+--------------------------------------------+------------+
注意事项
(1)静态加密仅加密静态数据(即磁盘上的数据),而不加密网络传输中的数据。如果需要加密网络传输数据,需要开启 TLS
(2)信息日志不会进行加密,建议开启日志脱敏功能.
(3)TiKV 当前不从核心转储 (core dumps) 中排除加密密钥和用户数据。建议在使用静态加密时禁用 TiKV 进程的核心转储.
禁止转储(core dumps)操作步骤:
1、获取TiKV进程号
ps -ef | grep tikv #获取到进程号例如 106284
2、关闭该进程的核心转储功能
echo 0 > /proc/[进程ID]/coredump_filter
注意事项:
TiKV等无法单独做到禁用核心转储的功能,只能通过手动去关闭。
关闭后该进程如果发生进程ID变化,需要重新进行设置,也可以直接关掉该服务器的核心进程转储功能
(4)开启了加密功能,用户就不应更改数据文件的路径配置,例如 storage.data-dir,raftstore.raftdb-path,rocksdb.wal-dir 和 raftdb.wal-dir.
(5)SM4 加密会对吞吐造成 50% 到 80% 的回退.
(6)主密钥必须为256 位(32 字节)的十六进制字符串.
(7)想要关闭静态加密,以删除参数方式操作时,要把master-key参数留下,只删除data-encryption-method就可以,因老数据仍然需要依赖主密钥获取,如果全部删除,组件无法启动.
(8)不支持SET 方式轮换主密钥,轮换主密钥需要修改配置文件,进行滚动重启.
(9)使用s3存储的情况下,TiFlash无法使用静态加密功能,因为TiFlash节点无法知道是不是本节点生成的文件的密钥.