Skip to main content

Overview of data transfer encryption

The Transport Layer Security (TLS) protocol provides confidentiality and data integrity between two communicating applications. seekdb extends support for the Secure Sockets Layer (SSL)/TLS protocol on top of the existing Transmission Control Protocol (TCP) communication to address communication encryption. Using encrypted transmission reduces the risk of sensitive information leakage in the database. The encryption and decryption of information are performed using a key, effectively protecting data security. Specifically, database encryption transmission can be achieved through the SSL or TLS protocol.

Two protocols are used for communication:

  • MySQL protocol: The communication between the driver layer and the data link layer, as well as between the data link layer and the database (DB) layer, uses the extended MySQL protocol. Once communication encryption is enabled, it takes effect immediately, and all new MySQL connections will use encryption for communication.

  • OB-RPC protocol: seekdb communicates with itself, as well as with components like liboblog and ob_admin, using its own Remote Procedure Call (RPC) protocol.

The DB layer components, such as seekdb, liboblog, and obadmin, support SSL/TLS encryption communication. They rely on OpenSSL or third-party SSL libraries to provide secure encryption transmission services for business operations.

seekdb offers different SSL authentication mechanisms for each user. These include:

  • One-way SSL authentication: The client needs to load the server's CA certificate. The client performs one-way verification of the server's certificate validity.
  • X.509 two-way authentication: Both the server and client need to load the CA certificate from the other end. Both parties perform two-way verification of the certificate validity.
  • Special two-way authentication (composable):
    • Authentication with specified encryption algorithms: Based on X.509 two-way authentication, with SSL encryption algorithms limited.
    • Authentication with specified issuer: Based on X.509 two-way authentication, with the client CA certificate issuer limited.
    • Authentication with specified SSL subject: Based on X.509 two-way authentication, with the client CA certificate subject limited.