From 805a462d7d001d958905e530132a422d8cfb8ebd Mon Sep 17 00:00:00 2001 From: Xiaoguang Sun Date: Sat, 20 Dec 2025 12:55:05 +0800 Subject: [PATCH 1/4] Add explanation to dual-layer encryption Signed-off-by: Xiaoguang Sun --- tidb-cloud/security-concepts.md | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/tidb-cloud/security-concepts.md b/tidb-cloud/security-concepts.md index c4da4ca74e275..dd52d0fc448cb 100644 --- a/tidb-cloud/security-concepts.md +++ b/tidb-cloud/security-concepts.md @@ -221,6 +221,18 @@ TiDB Cloud safeguards static data with advanced encryption capabilities, ensurin - For TiDB Cloud Dedicated clusters without CMEK, TiDB Cloud uses escrow keys; {{{ .starter }}} and {{{ .essential }}} clusters rely exclusively on escrow keys. +**Dual-layer Encryption** + +- Dual-layer encryption is where two or more independent layers of encryption are enabled to protect against compromises of any one layer of encryption. Using two layers of encryption mitigates threats that come with encrypting data. + +- All persisted data is encrypted-at-rest using the tool of the cloud provider that your cluster is running in. + +- With dual-layer encryption enabled, data is automatically encrypted at rest using CMEK or escrow keys. + +- Dual-layer encryption is disabled by default for {{{ .starter }}} clusters and enabled by default for {{{ .essential }}} clusters. + +- Dual-layer encryption is mandatory for TiDB Cloud Dedicated clusters. + **Best practices:** - Regularly rotate CMEK keys to enhance security and meet compliance standards. @@ -255,4 +267,4 @@ Records detailed database operations, including executed SQL statements and user - Use logs for compliance reporting and forensic analysis. -For more information, see [Console Audit Logging](/tidb-cloud/tidb-cloud-console-auditing.md) and [Database Audit Logging](/tidb-cloud/tidb-cloud-auditing.md). \ No newline at end of file +For more information, see [Console Audit Logging](/tidb-cloud/tidb-cloud-console-auditing.md) and [Database Audit Logging](/tidb-cloud/tidb-cloud-auditing.md). From 2ba2b739c2c524af0c81a4109e1276b5fb0ba670 Mon Sep 17 00:00:00 2001 From: Xiaoguang Sun Date: Sat, 20 Dec 2025 12:57:19 +0800 Subject: [PATCH 2/4] Update tidb-cloud/security-concepts.md Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> --- tidb-cloud/security-concepts.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tidb-cloud/security-concepts.md b/tidb-cloud/security-concepts.md index dd52d0fc448cb..ebec7e11ceec9 100644 --- a/tidb-cloud/security-concepts.md +++ b/tidb-cloud/security-concepts.md @@ -221,7 +221,7 @@ TiDB Cloud safeguards static data with advanced encryption capabilities, ensurin - For TiDB Cloud Dedicated clusters without CMEK, TiDB Cloud uses escrow keys; {{{ .starter }}} and {{{ .essential }}} clusters rely exclusively on escrow keys. -**Dual-layer Encryption** +**Dual-layer encryption** - Dual-layer encryption is where two or more independent layers of encryption are enabled to protect against compromises of any one layer of encryption. Using two layers of encryption mitigates threats that come with encrypting data. From 33f66167add3d0a366e87957d89236fc50362b52 Mon Sep 17 00:00:00 2001 From: Xiaoguang Sun Date: Sat, 20 Dec 2025 12:57:42 +0800 Subject: [PATCH 3/4] Update tidb-cloud/security-concepts.md Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> --- tidb-cloud/security-concepts.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tidb-cloud/security-concepts.md b/tidb-cloud/security-concepts.md index ebec7e11ceec9..3aa7aceec08ac 100644 --- a/tidb-cloud/security-concepts.md +++ b/tidb-cloud/security-concepts.md @@ -223,7 +223,7 @@ TiDB Cloud safeguards static data with advanced encryption capabilities, ensurin **Dual-layer encryption** -- Dual-layer encryption is where two or more independent layers of encryption are enabled to protect against compromises of any one layer of encryption. Using two layers of encryption mitigates threats that come with encrypting data. +- Dual-layer encryption protects data with two or more independent layers of encryption. This method provides enhanced security by protecting against the compromise of any single encryption layer. - All persisted data is encrypted-at-rest using the tool of the cloud provider that your cluster is running in. From 3f75ac533f3d2df8ca2e1424324acfe96f735a71 Mon Sep 17 00:00:00 2001 From: Lilian Lee Date: Mon, 22 Dec 2025 11:23:40 +0800 Subject: [PATCH 4/4] Apply suggestions from code review Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> --- tidb-cloud/security-concepts.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tidb-cloud/security-concepts.md b/tidb-cloud/security-concepts.md index 3aa7aceec08ac..56ef03da04ac3 100644 --- a/tidb-cloud/security-concepts.md +++ b/tidb-cloud/security-concepts.md @@ -225,9 +225,9 @@ TiDB Cloud safeguards static data with advanced encryption capabilities, ensurin - Dual-layer encryption protects data with two or more independent layers of encryption. This method provides enhanced security by protecting against the compromise of any single encryption layer. -- All persisted data is encrypted-at-rest using the tool of the cloud provider that your cluster is running in. +- The cloud provider where your cluster is running encrypts all persisted data at rest using its native tools. -- With dual-layer encryption enabled, data is automatically encrypted at rest using CMEK or escrow keys. +- With dual-layer encryption enabled, TiDB Cloud adds a second layer of security by automatically encrypting data at rest using either CMEK or escrow keys. - Dual-layer encryption is disabled by default for {{{ .starter }}} clusters and enabled by default for {{{ .essential }}} clusters.