Database Encryption Process

Encryption Process

When a user saves data, if Database Encryption is active, the database encryption service attempts to retrieve the necessary encryption keys from its encrypted key cache. If the key is not in the cache, the service requests the database tenant secret from the regional Key Management System (KMS). Data transfer between the KMS and the encryption service is secured by the mutual TLS (mTLS) protocol, using a regularly rotated certificate. The retrieved tenant secret is then stored in the encrypted key cache.

Once a database fragment is ready to be written, the encryption service generates a unique per-fragment salt. This salt, along with the database tenant secret, is fed into a Key Derivation Function (KDF) to derive a unique Data Encryption Key (DEK) for that specific fragment. The entire fragment is then encrypted using OpenSSL AESGCM-256. The per-fragment salt and an identifier for the key material used are saved alongside the encrypted fragment in the database.

Decryption Process

When an authenticated user requests encrypted data, the database encryption service retrieves the relevant encrypted database fragments, along with their associated per-fragment salt and a reference to the tenant secret used during encryption. The service first checks its key cache for the matching DEK. If not found, it requests the database tenant secret from the regional KMS (again, secured by mTLS), and stores it in the cache. The database then uses the retrieved tenant secret and the per-fragment salt in the KDF to derive the correct DEK. Finally, the data is decrypted and returned to the user.