<!-- CANARY: REQ=REQ-DOCS-001; FEATURE="Docs"; ASPECT=Documentation; STATUS=TESTED; OWNER=docs; UPDATED=2026-01-15 -->
<p>Documentation tagged with <strong>Transparent Data Encryption (TDE)</strong> in the Geode graph database. TDE provides encryption-at-rest for database files, protecting data stored on disk from unauthorized access while remaining transparent to applications and queries.</p>
<h3 id="introduction-to-transparent-data-encryption" class="position-relative d-flex align-items-center group">
<span>Introduction to Transparent Data Encryption</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="introduction-to-transparent-data-encryption"
aria-haspopup="dialog"
aria-label="Share link: Introduction to Transparent Data Encryption">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3><div id="headingShareModal" class="heading-share-modal" role="dialog" aria-modal="true" aria-labelledby="headingShareTitle" hidden>
<div class="hsm-dialog" role="document">
<div class="hsm-header">
<h2 id="headingShareTitle" class="h6 mb-0 fw-bold">Share this section</h2>
<button type="button" class="hsm-close" aria-label="Close">
<i class="fa-solid fa-xmark"></i>
</button>
</div>
<div class="hsm-body">
<label for="headingShareInput" class="form-label small text-muted mb-1 text-uppercase fw-bold" style="font-size: 0.7rem; letter-spacing: 0.5px;">Permalink</label>
<div class="input-group mb-4 hsm-url-group">
<input id="headingShareInput" type="text" class="form-control font-monospace" readonly aria-readonly="true" style="font-size: 0.85rem;" />
<button class="btn btn-primary hsm-copy" type="button" aria-label="Copy" title="Copy">
<i class="fa-duotone fa-clipboard" aria-hidden="true"></i>
</button>
</div>
<div class="small fw-bold mb-2 text-muted text-uppercase" style="font-size: 0.7rem; letter-spacing: 0.5px;">Share via</div>
<div class="hsm-share-grid">
<a id="share-twitter" class="btn btn-outline-secondary w-100" target="_blank" rel="noopener noreferrer">
<i class="fa-brands fa-twitter me-2"></i>Twitter
</a>
<a id="share-linkedin" class="btn btn-outline-secondary w-100" target="_blank" rel="noopener noreferrer">
<i class="fa-brands fa-linkedin me-2"></i>LinkedIn
</a>
<a id="share-facebook" class="btn btn-outline-secondary w-100" target="_blank" rel="noopener noreferrer">
<i class="fa-brands fa-facebook me-2"></i>Facebook
</a>
</div>
</div>
</div>
</div>
<style>
.heading-share-modal {
position: fixed;
inset: 0;
display: flex;
justify-content: center;
align-items: center;
background: rgba(0, 0, 0, 0.6);
z-index: 1050;
padding: 1rem;
backdrop-filter: blur(4px);
-webkit-backdrop-filter: blur(4px);
}
.heading-share-modal[hidden] { display: none !important; }
.hsm-dialog {
max-width: 420px;
width: 100%;
background: var(--bs-body-bg, #fff);
color: var(--bs-body-color, #212529);
border: 1px solid var(--bs-border-color, rgba(0,0,0,0.1));
border-radius: 1rem;
box-shadow: 0 25px 50px -12px rgba(0, 0, 0, 0.25);
overflow: hidden;
animation: hsm-fade-in 0.2s ease-out;
}
@keyframes hsm-fade-in {
from { opacity: 0; transform: scale(0.95); }
to { opacity: 1; transform: scale(1); }
}
[data-bs-theme="dark"] .hsm-dialog {
background: #1e293b;
border-color: rgba(255,255,255,0.1);
color: #f8f9fa;
}
.hsm-header {
display: flex;
justify-content: space-between;
align-items: center;
padding: 1rem 1.5rem;
border-bottom: 1px solid var(--bs-border-color, rgba(0,0,0,0.1));
background: rgba(0,0,0,0.02);
}
[data-bs-theme="dark"] .hsm-header {
background: rgba(255,255,255,0.02);
border-color: rgba(255,255,255,0.1);
}
.hsm-close {
background: transparent;
border: none;
color: inherit;
opacity: 0.5;
padding: 0.25rem 0.5rem;
border-radius: 0.25rem;
font-size: 1.2rem;
line-height: 1;
transition: opacity 0.2s;
}
.hsm-close:hover {
opacity: 1;
}
.hsm-body {
padding: 1.5rem;
}
.hsm-url-group {
display: flex !important;
align-items: stretch;
}
.hsm-url-group .form-control {
flex: 1;
min-width: 0;
margin: 0;
background: var(--bs-secondary-bg, #f8f9fa);
border-color: var(--bs-border-color, #dee2e6);
border-top-right-radius: 0;
border-bottom-right-radius: 0;
height: 42px;
}
.hsm-url-group .btn {
flex: 0 0 auto;
margin: 0;
margin-left: -1px;
border-top-left-radius: 0;
border-bottom-left-radius: 0;
height: 42px;
display: flex;
align-items: center;
justify-content: center;
padding: 0 1.25rem;
z-index: 2;
}
[data-bs-theme="dark"] .hsm-url-group .form-control {
background: #0f172a;
border-color: #334155;
color: #e2e8f0;
}
.hsm-share-grid {
display: flex;
flex-direction: column;
gap: 0.5rem;
}
.hsm-share-grid .btn {
display: flex;
align-items: center;
justify-content: center;
font-size: 0.9rem;
padding: 0.6rem;
border-color: var(--bs-border-color);
width: 100%;
}
[data-bs-theme="dark"] .hsm-share-grid .btn {
color: #e2e8f0;
border-color: #475569;
}
[data-bs-theme="dark"] .hsm-share-grid .btn:hover {
background: #334155;
border-color: #cbd5e1;
}
</style>
<script>
(function(){
const modal = document.getElementById('headingShareModal');
if(!modal) return;
const input = modal.querySelector('#headingShareInput');
const copyBtn = modal.querySelector('.hsm-copy');
const twitter = modal.querySelector('#share-twitter');
const linkedin = modal.querySelector('#share-linkedin');
const facebook = modal.querySelector('#share-facebook');
const closeBtn = modal.querySelector('.hsm-close');
let lastFocus=null;
let trapBound=false;
function buildUrl(id){ return window.location.origin + window.location.pathname + '#' + id; }
function isOpen(){ return !modal.hasAttribute('hidden'); }
function hydrate(id){
const url=buildUrl(id);
input.value=url;
const enc=encodeURIComponent(url);
const text=encodeURIComponent(document.title);
if(twitter) twitter.href=`https://twitter.com/intent/tweet?url=${enc}&text=${text}`;
if(linkedin) linkedin.href=`https://www.linkedin.com/sharing/share-offsite/?url=${enc}`;
if(facebook) facebook.href=`https://www.facebook.com/sharer/sharer.php?u=${enc}`;
}
function openModal(id){
lastFocus=document.activeElement;
hydrate(id);
if(!isOpen()){
modal.removeAttribute('hidden');
}
requestAnimationFrame(()=>{ input.focus(); });
trapFocus();
}
function closeModal(){
if(!isOpen()) return;
modal.setAttribute('hidden','');
if(lastFocus && typeof lastFocus.focus==='function') lastFocus.focus();
}
function copyCurrent(){
try{ navigator.clipboard.writeText(input.value).then(()=>feedback(true),()=>fallback()); }
catch(e){ fallback(); }
}
function fallback(){ input.select(); try{ document.execCommand('copy'); feedback(true);}catch(e){ feedback(false);} }
function feedback(ok){ if(!copyBtn) return; const icon=copyBtn.querySelector('i'); if(!icon) return; const prev=copyBtn.getAttribute('data-prev')||icon.className; if(!copyBtn.getAttribute('data-prev')) copyBtn.setAttribute('data-prev',prev); icon.className= ok ? 'fa-duotone fa-clipboard-check':'fa-duotone fa-circle-exclamation'; setTimeout(()=>{ icon.className=prev; },1800); }
function handleShareClick(e){ e.preventDefault(); const btn=e.currentTarget; const id=btn.getAttribute('data-share-target'); if(id) openModal(id); }
function bindShareButtons(){
document.querySelectorAll('.h-share').forEach(btn=>{
if(!btn.dataset.hShareBound){ btn.addEventListener('click', handleShareClick); btn.dataset.hShareBound='1'; }
});
}
bindShareButtons();
if(document.readyState==='loading'){
document.addEventListener('DOMContentLoaded', bindShareButtons);
} else {
requestAnimationFrame(bindShareButtons);
}
document.addEventListener('click', function(e){
const shareBtn=e.target.closest && e.target.closest('.h-share');
if(shareBtn && !shareBtn.dataset.hShareBound){ handleShareClick.call(shareBtn, e); }
}, true);
document.addEventListener('click', e=>{
if(e.target===modal) closeModal();
if(e.target.closest && e.target.closest('.hsm-close')){ e.preventDefault(); closeModal(); }
if(copyBtn && (e.target===copyBtn || (e.target.closest && e.target.closest('.hsm-copy')))) { e.preventDefault(); copyCurrent(); }
});
document.addEventListener('keydown', e=>{ if(e.key==='Escape' && isOpen()) closeModal(); });
function trapFocus(){
if(trapBound) return;
trapBound=true;
modal.addEventListener('keydown', f=>{ if(f.key==='Tab' && isOpen()){ const focusable=[...modal.querySelectorAll('a[href],button,input,textarea,select,[tabindex]:not([tabindex="-1"])')].filter(el=>!el.hasAttribute('disabled')); if(!focusable.length) return; const first=focusable[0]; const last=focusable[focusable.length-1]; if(f.shiftKey && document.activeElement===first){ f.preventDefault(); last.focus(); } else if(!f.shiftKey && document.activeElement===last){ f.preventDefault(); first.focus(); } } });
}
if(closeBtn) closeBtn.addEventListener('click', e=>{ e.preventDefault(); closeModal(); });
})();
</script><p>Transparent Data Encryption (TDE) is an enterprise security feature that encrypts database files on disk, ensuring that data remains protected even if storage media is stolen, improperly disposed of, or accessed by unauthorized users. The “transparent” aspect means encryption and decryption happen automatically—applications and users don’t need to modify queries or code.</p>
<p>TDE addresses a critical security requirement: protecting data at rest. While network encryption (TLS) protects data in transit and authentication prevents unauthorized access, TDE ensures that raw database files, backups, and snapshots cannot be read without the encryption keys. This is essential for:</p>
<ul>
<li><strong>Compliance</strong>: Regulations like GDPR, HIPAA, PCI-DSS, and SOC 2 require encryption at rest</li>
<li><strong>Data breach protection</strong>: Stolen drives or backups are useless without keys</li>
<li><strong>Multi-tenant security</strong>: Prevent cloud providers or storage administrators from accessing data</li>
<li><strong>Secure decommissioning</strong>: Safely dispose of old hardware without data recovery risks</li>
</ul>
<p>Geode’s TDE implementation uses industry-standard AES-256 encryption with hardware acceleration (AES-NI) for minimal performance overhead, typically less than 5% impact on throughput.</p>
<h3 id="core-tde-concepts" class="position-relative d-flex align-items-center group">
<span>Core TDE Concepts</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="core-tde-concepts"
aria-haspopup="dialog"
aria-label="Share link: Core TDE Concepts">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3>
<h4 id="encryption-at-rest-vs-in-transit" class="position-relative d-flex align-items-center group">
<span>Encryption at Rest vs. In Transit</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="encryption-at-rest-vs-in-transit"
aria-haspopup="dialog"
aria-label="Share link: Encryption at Rest vs. In Transit">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p>Geode provides multiple encryption layers:</p>
<ul>
<li><strong>TDE (Encryption at Rest)</strong>: Protects data stored on disk</li>
<li><strong>TLS (Encryption in Transit)</strong>: Protects data transmitted over networks</li>
<li><strong>FLE (Field-Level Encryption)</strong>: Protects specific sensitive fields</li>
</ul>
<p>Together, these provide defense-in-depth security.</p>
<h4 id="two-tier-key-architecture" class="position-relative d-flex align-items-center group">
<span>Two-Tier Key Architecture</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="two-tier-key-architecture"
aria-haspopup="dialog"
aria-label="Share link: Two-Tier Key Architecture">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p>Geode uses a two-tier key hierarchy for security and operational flexibility:</p>
<p><strong>Master Encryption Key (MEK)</strong>:</p>
<ul>
<li>Stored in external Key Management Service (KMS) or Hardware Security Module (HSM)</li>
<li>Never stored on disk with encrypted data</li>
<li>Rotated infrequently (annually or when compromised)</li>
<li>Examples: AWS KMS, Azure Key Vault, HashiCorp Vault, PKCS#11 HSM</li>
</ul>
<p><strong>Data Encryption Keys (DEK)</strong>:</p>
<ul>
<li>Generated per database/tablespace/file</li>
<li>Encrypted with MEK and stored alongside encrypted data</li>
<li>Rotated periodically for defense-in-depth</li>
<li>Actual key used for encrypting data blocks</li>
</ul>
<p>This architecture enables key rotation without re-encrypting the entire database—just re-encrypt the DEKs with the new MEK.</p>
<h4 id="encryption-scope" class="position-relative d-flex align-items-center group">
<span>Encryption Scope</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="encryption-scope"
aria-haspopup="dialog"
aria-label="Share link: Encryption Scope">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p>TDE encrypts:</p>
<ul>
<li><strong>Data files</strong>: Node storage, relationship storage, property storage</li>
<li><strong>Index files</strong>: All index structures (B-trees, HNSW graphs, etc.)</li>
<li><strong>WAL (Write-Ahead Log)</strong>: Transaction log files</li>
<li><strong>Temporary files</strong>: Sort buffers, intermediate query results</li>
<li><strong>Backups</strong>: Backup archives and snapshots</li>
</ul>
<p>TDE does NOT encrypt:</p>
<ul>
<li><strong>Configuration files</strong>: Database configuration (not sensitive data)</li>
<li><strong>Logs</strong>: Application logs (use separate log encryption if needed)</li>
<li><strong>In-memory data</strong>: Data in RAM (use encrypted memory for extreme security)</li>
<li><strong>Query text</strong>: GQL queries themselves (use TLS for query privacy)</li>
</ul>
<h4 id="encryption-algorithms" class="position-relative d-flex align-items-center group">
<span>Encryption Algorithms</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="encryption-algorithms"
aria-haspopup="dialog"
aria-label="Share link: Encryption Algorithms">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p>Geode supports industry-standard algorithms:</p>
<ul>
<li><strong>AES-256-GCM</strong>: Recommended default (authenticated encryption, parallelizable)</li>
<li><strong>AES-256-CBC</strong>: Alternative for compatibility (requires separate HMAC for authentication)</li>
<li><strong>ChaCha20-Poly1305</strong>: Software-friendly alternative for systems without AES-NI</li>
</ul>
<p>All algorithms use 256-bit keys meeting FIPS 140-2 requirements.</p>
<h3 id="how-tde-works-in-geode" class="position-relative d-flex align-items-center group">
<span>How TDE Works in Geode</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="how-tde-works-in-geode"
aria-haspopup="dialog"
aria-label="Share link: How TDE Works in Geode">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3>
<h4 id="enabling-tde" class="position-relative d-flex align-items-center group">
<span>Enabling TDE</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="enabling-tde"
aria-haspopup="dialog"
aria-label="Share link: Enabling TDE">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p>Enable TDE when creating a new database:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Generate or retrieve master encryption key from KMS</span>
</span></span><span class="line"><span class="cl">$ geode init --enable-tde <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --kms-provider aws-kms <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --kms-key-id arn:aws:kms:us-east-1:123456789:key/abc-def-123 <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --encryption-algorithm aes-256-gcm
</span></span></code></pre></div><p>For existing databases, enable TDE through encryption conversion:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Enable TDE on existing database (requires downtime)</span>
</span></span><span class="line"><span class="cl">$ geode convert-to-tde <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --data-dir /var/lib/geode/data <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --kms-provider vault <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --kms-endpoint https://vault.example.com <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --kms-token <span class="nv">$VAULT_TOKEN</span>
</span></span></code></pre></div>
<h4 id="configuration" class="position-relative d-flex align-items-center group">
<span>Configuration</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="configuration"
aria-haspopup="dialog"
aria-label="Share link: Configuration">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p>Configure TDE in <code>geode.yaml</code>:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">security</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">encryption</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">enabled</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">algorithm</span><span class="p">:</span><span class="w"> </span><span class="l">aes-256-gcm</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># Key Management Service configuration</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">kms</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">provider</span><span class="p">:</span><span class="w"> </span><span class="l">aws-kms </span><span class="w"> </span><span class="c"># aws-kms, azure-kv, gcp-kms, vault, pkcs11</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">key_id</span><span class="p">:</span><span class="w"> </span><span class="l">arn:aws:kms:us-east-1:123456789:key/abc-def-123</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">region</span><span class="p">:</span><span class="w"> </span><span class="l">us-east-1</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># DEK rotation policy</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">dek_rotation</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">enabled</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">interval_days</span><span class="p">:</span><span class="w"> </span><span class="m">90</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># Performance tuning</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">cache_deks</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span><span class="c"># Cache decrypted DEKs in memory</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">cache_size_mb</span><span class="p">:</span><span class="w"> </span><span class="m">128</span><span class="w"> </span><span class="c"># DEK cache size</span><span class="w">
</span></span></span></code></pre></div>
<h4 id="key-management-integration" class="position-relative d-flex align-items-center group">
<span>Key Management Integration</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="key-management-integration"
aria-haspopup="dialog"
aria-label="Share link: Key Management Integration">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p>Geode integrates with enterprise key management systems:</p>
<p><strong>AWS KMS</strong>:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">kms</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">provider</span><span class="p">:</span><span class="w"> </span><span class="l">aws-kms</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">key_id</span><span class="p">:</span><span class="w"> </span><span class="l">arn:aws:kms:us-east-1:123456789:key/abc-def-123</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">region</span><span class="p">:</span><span class="w"> </span><span class="l">us-east-1</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">credentials_profile</span><span class="p">:</span><span class="w"> </span><span class="l">geode-production</span><span class="w">
</span></span></span></code></pre></div><p><strong>Azure Key Vault</strong>:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">kms</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">provider</span><span class="p">:</span><span class="w"> </span><span class="l">azure-kv</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">vault_url</span><span class="p">:</span><span class="w"> </span><span class="l">https://my-keyvault.vault.azure.net</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">key_name</span><span class="p">:</span><span class="w"> </span><span class="l">geode-master-key</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">tenant_id</span><span class="p">:</span><span class="w"> </span><span class="m">12345</span>-<span class="l">abcd-...</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">client_id</span><span class="p">:</span><span class="w"> </span><span class="m">67890</span>-<span class="l">efgh-...</span><span class="w">
</span></span></span></code></pre></div><p><strong>HashiCorp Vault</strong>:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">kms</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">provider</span><span class="p">:</span><span class="w"> </span><span class="l">vault</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">endpoint</span><span class="p">:</span><span class="w"> </span><span class="l">https://vault.example.com</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">transit_mount</span><span class="p">:</span><span class="w"> </span><span class="l">transit</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">key_name</span><span class="p">:</span><span class="w"> </span><span class="l">geode-mek</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">token</span><span class="p">:</span><span class="w"> </span><span class="l">$VAULT_TOKEN </span><span class="w"> </span><span class="c"># Or use AppRole, K8s auth</span><span class="w">
</span></span></span></code></pre></div><p><strong>PKCS#11 HSM</strong>:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">kms</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">provider</span><span class="p">:</span><span class="w"> </span><span class="l">pkcs11</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">library_path</span><span class="p">:</span><span class="w"> </span><span class="l">/usr/lib/softhsm/libsofthsm2.so</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">slot_id</span><span class="p">:</span><span class="w"> </span><span class="m">0</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">pin</span><span class="p">:</span><span class="w"> </span><span class="l">$HSM_PIN</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">key_label</span><span class="p">:</span><span class="w"> </span><span class="l">geode-master-key</span><span class="w">
</span></span></span></code></pre></div>
<h4 id="runtime-operations" class="position-relative d-flex align-items-center group">
<span>Runtime Operations</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="runtime-operations"
aria-haspopup="dialog"
aria-label="Share link: Runtime Operations">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p>TDE operates transparently:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Queries</span><span class="w"> </span><span class="py">work</span><span class="w"> </span><span class="py">exactly</span><span class="w"> </span><span class="py">the</span><span class="w"> </span><span class="py">same</span><span class="w"> </span><span class="py">with</span><span class="w"> </span><span class="py">TDE</span><span class="w"> </span><span class="py">enabled</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">MATCH</span><span class="w"> </span><span class="p">(</span><span class="py">p</span><span class="p">:</span><span class="nc">Person</span><span class="w"> </span><span class="p">{</span><span class="py">id</span><span class="p">:</span><span class="w"> </span><span class="nv">$userId</span><span class="p">})</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nc">SET</span><span class="w"> </span><span class="py">p</span><span class="err">.</span><span class="py">last_login</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">datetime</span><span class="p">()</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Application</span><span class="w"> </span><span class="py">code</span><span class="w"> </span><span class="py">doesn</span><span class="err">'</span><span class="py">t</span><span class="w"> </span><span class="py">change</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">INSERT</span><span class="w"> </span><span class="p">(:</span><span class="nc">Document</span><span class="w"> </span><span class="p">{</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">id</span><span class="p">:</span><span class="w"> </span><span class="err">'</span><span class="nc">doc</span><span class="err">-</span><span class="py">123</span><span class="err">'</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">title</span><span class="p">:</span><span class="w"> </span><span class="err">'</span><span class="nc">Sensitive</span><span class="w"> </span><span class="py">Data</span><span class="err">'</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">content</span><span class="p">:</span><span class="w"> </span><span class="err">'</span><span class="nc">This</span><span class="w"> </span><span class="py">will</span><span class="w"> </span><span class="py">be</span><span class="w"> </span><span class="py">encrypted</span><span class="w"> </span><span class="kd">on</span><span class="w"> </span><span class="py">disk</span><span class="w"> </span><span class="py">automatically</span><span class="err">'</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="p">})</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div><p>Encryption and decryption happen automatically in the storage layer.</p>
<h3 id="use-cases" class="position-relative d-flex align-items-center group">
<span>Use Cases</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="use-cases"
aria-haspopup="dialog"
aria-label="Share link: Use Cases">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3>
<h4 id="regulatory-compliance" class="position-relative d-flex align-items-center group">
<span>Regulatory Compliance</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="regulatory-compliance"
aria-haspopup="dialog"
aria-label="Share link: Regulatory Compliance">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p>Meet encryption requirements for regulated industries:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># HIPAA-compliant TDE configuration</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">security</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">encryption</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">enabled</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">algorithm</span><span class="p">:</span><span class="w"> </span><span class="l">aes-256-gcm</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">fips_mode</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span><span class="c"># Use FIPS 140-2 validated crypto</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">kms</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">provider</span><span class="p">:</span><span class="w"> </span><span class="l">aws-kms</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">key_id</span><span class="p">:</span><span class="w"> </span><span class="l">$HIPAA_COMPLIANT_KMS_KEY</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">audit</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">log_key_access</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">log_encryption_events</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w">
</span></span></span></code></pre></div>
<h4 id="multi-tenant-saas" class="position-relative d-flex align-items-center group">
<span>Multi-Tenant SaaS</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="multi-tenant-saas"
aria-haspopup="dialog"
aria-label="Share link: Multi-Tenant SaaS">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p>Isolate tenant data with per-tenant encryption:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">security</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">encryption</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">enabled</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">per_tenant_keys</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span><span class="c"># Each tenant gets unique DEK</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">kms</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">provider</span><span class="p">:</span><span class="w"> </span><span class="l">vault</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">endpoint</span><span class="p">:</span><span class="w"> </span><span class="l">https://vault.example.com</span><span class="w">
</span></span></span></code></pre></div><p>Query with tenant context:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Tenant</span><span class="w"> </span><span class="py">ID</span><span class="w"> </span><span class="py">determines</span><span class="w"> </span><span class="py">which</span><span class="w"> </span><span class="py">DEK</span><span class="w"> </span><span class="py">to</span><span class="w"> </span><span class="py">use</span><span class="w"> </span><span class="py">for</span><span class="w"> </span><span class="py">decryption</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">SET</span><span class="w"> </span><span class="py">SESSION</span><span class="w"> </span><span class="py">tenant_id</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="err">'</span><span class="py">tenant</span><span class="err">-</span><span class="py">abc</span><span class="err">-</span><span class="py">123</span><span class="err">';</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">MATCH</span><span class="w"> </span><span class="p">(</span><span class="py">d</span><span class="p">:</span><span class="nc">Document</span><span class="p">)</span><span class="w"> </span><span class="py">RETURN</span><span class="w"> </span><span class="py">d</span><span class="err">.</span><span class="py">content</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div>
<h4 id="secure-cloud-deployments" class="position-relative d-flex align-items-center group">
<span>Secure Cloud Deployments</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="secure-cloud-deployments"
aria-haspopup="dialog"
aria-label="Share link: Secure Cloud Deployments">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p>Protect data from cloud provider access:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Deploy to cloud with customer-managed keys</span>
</span></span><span class="line"><span class="cl">$ geode deploy <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --cloud aws <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --enable-tde <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --kms-provider aws-kms <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --customer-managed-key arn:aws:kms:us-east-1:MY_ACCOUNT:key/MY_KEY
</span></span></code></pre></div><p>Even cloud administrators cannot decrypt your data without your KMS key.</p>
<h4 id="data-lifecycle-management" class="position-relative d-flex align-items-center group">
<span>Data Lifecycle Management</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="data-lifecycle-management"
aria-haspopup="dialog"
aria-label="Share link: Data Lifecycle Management">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p>Securely retire old data:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Crypto-shredding: Destroy encryption key to make data unrecoverable</span>
</span></span><span class="line"><span class="cl">$ geode retire-data <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --tablespace archived_2023 <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --method crypto-shred <span class="c1"># Delete DEK, data becomes permanently unreadable</span>
</span></span></code></pre></div><p>Faster and more secure than deleting millions of records.</p>
<h3 id="best-practices" class="position-relative d-flex align-items-center group">
<span>Best Practices</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="best-practices"
aria-haspopup="dialog"
aria-label="Share link: Best Practices">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3>
<h4 id="key-management" class="position-relative d-flex align-items-center group">
<span>Key Management</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="key-management"
aria-haspopup="dialog"
aria-label="Share link: Key Management">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><ol>
<li>
<p><strong>Use external KMS</strong>: Never store MEK with encrypted data</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># Good: MEK in AWS KMS</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">kms</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">provider</span><span class="p">:</span><span class="w"> </span><span class="l">aws-kms</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">key_id</span><span class="p">:</span><span class="w"> </span><span class="l">arn:aws:kms:...</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="c"># Bad: MEK in config file</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="c"># NEVER DO THIS</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">encryption</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">master_key</span><span class="p">:</span><span class="w"> </span><span class="s2">"base64-encoded-key-here"</span><span class="w"> </span><span class="c"># Insecure!</span><span class="w">
</span></span></span></code></pre></div></li>
<li>
<p><strong>Rotate MEK annually</strong>: Regular rotation limits exposure</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ geode rotate-mek <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --old-key-id arn:aws:kms:.../old-key <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --new-key-id arn:aws:kms:.../new-key
</span></span></code></pre></div></li>
<li>
<p><strong>Rotate DEKs quarterly</strong>: Defense-in-depth</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">dek_rotation</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">enabled</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">interval_days</span><span class="p">:</span><span class="w"> </span><span class="m">90</span><span class="w">
</span></span></span></code></pre></div></li>
<li>
<p><strong>Backup keys separately</strong>: Store key backups in different location than data backups</p>
</li>
</ol>
<h4 id="performance-optimization" class="position-relative d-flex align-items-center group">
<span>Performance Optimization</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="performance-optimization"
aria-haspopup="dialog"
aria-label="Share link: Performance Optimization">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><ol>
<li>
<p><strong>Enable hardware acceleration</strong>: Use AES-NI when available</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Verify AES-NI support</span>
</span></span><span class="line"><span class="cl">$ grep -o aes /proc/cpuinfo <span class="p">|</span> wc -l
</span></span><span class="line"><span class="cl"><span class="c1"># If > 0, AES-NI is available</span>
</span></span></code></pre></div></li>
<li>
<p><strong>Cache DEKs</strong>: Reduce KMS roundtrips</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">encryption</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">cache_deks</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">cache_size_mb</span><span class="p">:</span><span class="w"> </span><span class="m">256</span><span class="w"> </span><span class="c"># Larger cache for more tablespaces</span><span class="w">
</span></span></span></code></pre></div></li>
<li>
<p><strong>Use AES-GCM</strong>: Faster than AES-CBC (parallel encryption)</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">encryption</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">algorithm</span><span class="p">:</span><span class="w"> </span><span class="l">aes-256-gcm </span><span class="w"> </span><span class="c"># Recommended</span><span class="w">
</span></span></span></code></pre></div></li>
<li>
<p><strong>Benchmark impact</strong>: Measure before deploying</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ geode benchmark --with-tde --without-tde
</span></span><span class="line"><span class="cl"><span class="c1"># Expect < 5% overhead with AES-NI</span>
</span></span></code></pre></div></li>
</ol>
<h4 id="operational-security" class="position-relative d-flex align-items-center group">
<span>Operational Security</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="operational-security"
aria-haspopup="dialog"
aria-label="Share link: Operational Security">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><ol>
<li>
<p><strong>Principle of least privilege</strong>: Limit KMS key access</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-json" data-lang="json"><span class="line"><span class="cl"><span class="p">{</span>
</span></span><span class="line"><span class="cl"> <span class="nt">"Version"</span><span class="p">:</span> <span class="s2">"2012-10-17"</span><span class="p">,</span>
</span></span><span class="line"><span class="cl"> <span class="nt">"Statement"</span><span class="p">:</span> <span class="p">[{</span>
</span></span><span class="line"><span class="cl"> <span class="nt">"Effect"</span><span class="p">:</span> <span class="s2">"Allow"</span><span class="p">,</span>
</span></span><span class="line"><span class="cl"> <span class="nt">"Principal"</span><span class="p">:</span> <span class="p">{</span><span class="nt">"AWS"</span><span class="p">:</span> <span class="s2">"arn:aws:iam::123:role/geode-prod"</span><span class="p">},</span>
</span></span><span class="line"><span class="cl"> <span class="nt">"Action"</span><span class="p">:</span> <span class="p">[</span><span class="s2">"kms:Decrypt"</span><span class="p">,</span> <span class="s2">"kms:DescribeKey"</span><span class="p">],</span>
</span></span><span class="line"><span class="cl"> <span class="nt">"Resource"</span><span class="p">:</span> <span class="s2">"*"</span>
</span></span><span class="line"><span class="cl"> <span class="p">}]</span>
</span></span><span class="line"><span class="cl"><span class="p">}</span>
</span></span></code></pre></div></li>
<li>
<p><strong>Enable audit logging</strong>: Track all key usage</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">audit</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">log_key_access</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">log_to</span><span class="p">:</span><span class="w"> </span><span class="l">/var/log/geode/tde-audit.log</span><span class="w">
</span></span></span></code></pre></div></li>
<li>
<p><strong>Test disaster recovery</strong>: Practice key recovery procedures</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Test MEK recovery from backup</span>
</span></span><span class="line"><span class="cl">$ geode recover-mek <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --backup-location s3://backup-bucket/mek-backup.enc <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --recovery-key <span class="nv">$RECOVERY_PASSPHRASE</span>
</span></span></code></pre></div></li>
</ol>
<h3 id="performance-characteristics" class="position-relative d-flex align-items-center group">
<span>Performance Characteristics</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="performance-characteristics"
aria-haspopup="dialog"
aria-label="Share link: Performance Characteristics">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3>
<h4 id="throughput-impact" class="position-relative d-flex align-items-center group">
<span>Throughput Impact</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="throughput-impact"
aria-haspopup="dialog"
aria-label="Share link: Throughput Impact">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p>Typical overhead with AES-NI:</p>
<ul>
<li><strong>Read throughput</strong>: 2-5% slower</li>
<li><strong>Write throughput</strong>: 3-7% slower</li>
<li><strong>CPU usage</strong>: +10-15%</li>
<li><strong>Memory usage</strong>: Minimal (DEK cache: 128-256 MB)</li>
</ul>
<p>Without AES-NI (software AES):</p>
<ul>
<li><strong>Read throughput</strong>: 15-25% slower</li>
<li><strong>Write throughput</strong>: 20-30% slower</li>
<li><strong>CPU usage</strong>: +50-100%</li>
</ul>
<h4 id="latency-impact" class="position-relative d-flex align-items-center group">
<span>Latency Impact</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="latency-impact"
aria-haspopup="dialog"
aria-label="Share link: Latency Impact">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p>Typical latency overhead:</p>
<ul>
<li><strong>Query latency</strong>: +0.5-2ms per query</li>
<li><strong>Write latency</strong>: +1-3ms per transaction</li>
<li><strong>Startup time</strong>: +5-30 seconds (DEK loading)</li>
</ul>
<h3 id="monitoring-and-troubleshooting" class="position-relative d-flex align-items-center group">
<span>Monitoring and Troubleshooting</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="monitoring-and-troubleshooting"
aria-haspopup="dialog"
aria-label="Share link: Monitoring and Troubleshooting">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3>
<h4 id="monitoring" class="position-relative d-flex align-items-center group">
<span>Monitoring</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="monitoring"
aria-haspopup="dialog"
aria-label="Share link: Monitoring">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p>Track TDE health:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Check</span><span class="w"> </span><span class="py">encryption</span><span class="w"> </span><span class="py">status</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CALL</span><span class="w"> </span><span class="py">dbms</span><span class="err">.</span><span class="py">security</span><span class="err">.</span><span class="py">encryption</span><span class="err">.</span><span class="py">status</span><span class="p">()</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">YIELD</span><span class="w"> </span><span class="py">enabled</span><span class="p">,</span><span class="w"> </span><span class="py">algorithm</span><span class="p">,</span><span class="w"> </span><span class="py">kms_provider</span><span class="p">,</span><span class="w"> </span><span class="py">dek_count</span><span class="p">,</span><span class="w"> </span><span class="py">last_rotation</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">RETURN</span><span class="w"> </span><span class="py">enabled</span><span class="p">,</span><span class="w"> </span><span class="py">algorithm</span><span class="p">,</span><span class="w"> </span><span class="py">kms_provider</span><span class="p">,</span><span class="w"> </span><span class="py">dek_count</span><span class="p">,</span><span class="w"> </span><span class="py">last_rotation</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Monitor</span><span class="w"> </span><span class="py">key</span><span class="w"> </span><span class="py">access</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CALL</span><span class="w"> </span><span class="py">dbms</span><span class="err">.</span><span class="py">security</span><span class="err">.</span><span class="py">encryption</span><span class="err">.</span><span class="py">audit</span><span class="p">()</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">YIELD</span><span class="w"> </span><span class="py">timestamp</span><span class="p">,</span><span class="w"> </span><span class="py">operation</span><span class="p">,</span><span class="w"> </span><span class="py">key_id</span><span class="p">,</span><span class="w"> </span><span class="py">success</span><span class="p">,</span><span class="w"> </span><span class="py">error</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WHERE</span><span class="w"> </span><span class="py">success</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">false</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">RETURN</span><span class="w"> </span><span class="py">timestamp</span><span class="p">,</span><span class="w"> </span><span class="py">operation</span><span class="p">,</span><span class="w"> </span><span class="py">key_id</span><span class="p">,</span><span class="w"> </span><span class="py">error</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Performance</span><span class="w"> </span><span class="py">metrics</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CALL</span><span class="w"> </span><span class="py">dbms</span><span class="err">.</span><span class="py">monitor</span><span class="err">.</span><span class="py">encryption</span><span class="err">.</span><span class="py">stats</span><span class="p">()</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">YIELD</span><span class="w"> </span><span class="py">encrypt_ops_per_sec</span><span class="p">,</span><span class="w"> </span><span class="py">decrypt_ops_per_sec</span><span class="p">,</span><span class="w"> </span><span class="py">avg_latency_ms</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">RETURN</span><span class="w"> </span><span class="py">encrypt_ops_per_sec</span><span class="p">,</span><span class="w"> </span><span class="py">decrypt_ops_per_sec</span><span class="p">,</span><span class="w"> </span><span class="py">avg_latency_ms</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div>
<h4 id="common-issues" class="position-relative d-flex align-items-center group">
<span>Common Issues</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="common-issues"
aria-haspopup="dialog"
aria-label="Share link: Common Issues">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p><strong>KMS unavailable</strong>:</p>
<ul>
<li><strong>Symptom</strong>: Cannot start database, “Failed to retrieve MEK”</li>
<li><strong>Cause</strong>: KMS service unreachable</li>
<li><strong>Solution</strong>: Verify network connectivity, check KMS service status, use cached DEKs (if enabled)</li>
</ul>
<p><strong>Performance degradation</strong>:</p>
<ul>
<li><strong>Symptom</strong>: Slow queries after enabling TDE</li>
<li><strong>Cause</strong>: Missing AES-NI support or software encryption</li>
<li><strong>Solution</strong>: Verify AES-NI availability, consider hardware upgrade</li>
</ul>
<p><strong>Key rotation failures</strong>:</p>
<ul>
<li><strong>Symptom</strong>: DEK rotation fails</li>
<li><strong>Cause</strong>: Insufficient KMS permissions</li>
<li><strong>Solution</strong>: Grant required KMS permissions (GenerateDataKey, Decrypt)</li>
</ul>
<h3 id="tde-implementation-patterns" class="position-relative d-flex align-items-center group">
<span>TDE Implementation Patterns</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="tde-implementation-patterns"
aria-haspopup="dialog"
aria-label="Share link: TDE Implementation Patterns">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3>
<h4 id="multi-tenant-key-isolation" class="position-relative d-flex align-items-center group">
<span>Multi-Tenant Key Isolation</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="multi-tenant-key-isolation"
aria-haspopup="dialog"
aria-label="Share link: Multi-Tenant Key Isolation">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p>Isolate tenant data with separate encryption keys:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># geode.yaml</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">security</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">encryption</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">enabled</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">per_tenant_keys</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">tenant_key_mapping</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">tenant-123</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">kms_key_id</span><span class="p">:</span><span class="w"> </span><span class="l">arn:aws:kms:us-east-1:111:key/tenant-123-key</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">tenant-456</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">kms_key_id</span><span class="p">:</span><span class="w"> </span><span class="l">arn:aws:kms:us-east-1:111:key/tenant-456-key</span><span class="w">
</span></span></span></code></pre></div><p>Query with tenant context:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Set</span><span class="w"> </span><span class="py">tenant</span><span class="w"> </span><span class="py">context</span><span class="w"> </span><span class="py">for</span><span class="w"> </span><span class="py">session</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">SET</span><span class="w"> </span><span class="py">SESSION</span><span class="w"> </span><span class="py">tenant_id</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="err">'</span><span class="py">tenant</span><span class="err">-</span><span class="py">123</span><span class="err">';</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Geode</span><span class="w"> </span><span class="py">automatically</span><span class="w"> </span><span class="py">uses</span><span class="w"> </span><span class="py">tenant</span><span class="err">-</span><span class="py">123</span><span class="err">'</span><span class="py">s</span><span class="w"> </span><span class="py">DEK</span><span class="w"> </span><span class="py">for</span><span class="w"> </span><span class="py">decryption</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">MATCH</span><span class="w"> </span><span class="p">(</span><span class="py">d</span><span class="p">:</span><span class="nc">Document</span><span class="p">)</span><span class="w"> </span><span class="py">WHERE</span><span class="w"> </span><span class="py">d</span><span class="err">.</span><span class="py">category</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="err">'</span><span class="py">financial</span><span class="err">'</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">RETURN</span><span class="w"> </span><span class="py">d</span><span class="err">.</span><span class="py">title</span><span class="p">,</span><span class="w"> </span><span class="py">d</span><span class="err">.</span><span class="py">content</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div><p>Each tenant’s data is encrypted with their unique key, preventing cross-tenant data access even if database is compromised.</p>
<h4 id="tablespace-level-encryption" class="position-relative d-flex align-items-center group">
<span>Tablespace-Level Encryption</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="tablespace-level-encryption"
aria-haspopup="dialog"
aria-label="Share link: Tablespace-Level Encryption">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p>Encrypt different tablespaces with different keys:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Create</span><span class="w"> </span><span class="py">encrypted</span><span class="w"> </span><span class="py">tablespace</span><span class="w"> </span><span class="py">for</span><span class="w"> </span><span class="py">sensitive</span><span class="w"> </span><span class="py">data</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">TABLESPACE</span><span class="w"> </span><span class="py">sensitive_data</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">LOCATION</span><span class="w"> </span><span class="err">'/</span><span class="py">var</span><span class="err">/</span><span class="py">lib</span><span class="err">/</span><span class="py">geode</span><span class="err">/</span><span class="py">tablespaces</span><span class="err">/</span><span class="py">sensitive</span><span class="err">'</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WITH</span><span class="w"> </span><span class="p">(</span><span class="py">encryption</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="err">'</span><span class="py">aes</span><span class="err">-</span><span class="py">256</span><span class="err">-</span><span class="py">gcm</span><span class="err">'</span><span class="p">,</span><span class="w"> </span><span class="py">kms_key_id</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="err">'</span><span class="py">high</span><span class="err">-</span><span class="py">security</span><span class="err">-</span><span class="py">key</span><span class="err">'</span><span class="p">)</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Create</span><span class="w"> </span><span class="py">encrypted</span><span class="w"> </span><span class="py">tablespace</span><span class="w"> </span><span class="py">for</span><span class="w"> </span><span class="py">regular</span><span class="w"> </span><span class="py">data</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">TABLESPACE</span><span class="w"> </span><span class="py">regular_data</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">LOCATION</span><span class="w"> </span><span class="err">'/</span><span class="py">var</span><span class="err">/</span><span class="py">lib</span><span class="err">/</span><span class="py">geode</span><span class="err">/</span><span class="py">tablespaces</span><span class="err">/</span><span class="py">regular</span><span class="err">'</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WITH</span><span class="w"> </span><span class="p">(</span><span class="py">encryption</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="err">'</span><span class="py">aes</span><span class="err">-</span><span class="py">256</span><span class="err">-</span><span class="py">gcm</span><span class="err">'</span><span class="p">,</span><span class="w"> </span><span class="py">kms_key_id</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="err">'</span><span class="py">standard</span><span class="err">-</span><span class="py">security</span><span class="err">-</span><span class="py">key</span><span class="err">'</span><span class="p">)</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Assign</span><span class="w"> </span><span class="py">graphs</span><span class="w"> </span><span class="py">to</span><span class="w"> </span><span class="py">tablespaces</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">GRAPH</span><span class="w"> </span><span class="py">financial_data</span><span class="w"> </span><span class="py">TABLESPACE</span><span class="w"> </span><span class="py">sensitive_data</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">GRAPH</span><span class="w"> </span><span class="py">analytics_data</span><span class="w"> </span><span class="py">TABLESPACE</span><span class="w"> </span><span class="py">regular_data</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div><p>Benefits: Different security levels, independent key rotation, compliance segmentation.</p>
<h4 id="key-rotation-without-downtime" class="position-relative d-flex align-items-center group">
<span>Key Rotation Without Downtime</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="key-rotation-without-downtime"
aria-haspopup="dialog"
aria-label="Share link: Key Rotation Without Downtime">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p>Rotate encryption keys while database remains online:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Initiate key rotation</span>
</span></span><span class="line"><span class="cl">geode admin rotate-tde-key <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --old-key-id arn:aws:kms:us-east-1:123:key/old-key <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --new-key-id arn:aws:kms:us-east-1:123:key/new-key <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --rotation-mode online
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="c1"># Monitor rotation progress</span>
</span></span><span class="line"><span class="cl">geode admin show-key-rotation-status
</span></span><span class="line"><span class="cl"><span class="c1"># Output:</span>
</span></span><span class="line"><span class="cl"><span class="c1"># Rotation ID: rot-20260124-001</span>
</span></span><span class="line"><span class="cl"><span class="c1"># Status: In Progress</span>
</span></span><span class="line"><span class="cl"><span class="c1"># Progress: 1,234,567 / 5,000,000 pages (24.7%)</span>
</span></span><span class="line"><span class="cl"><span class="c1"># Estimated completion: 2026-01-24 18:30:00</span>
</span></span><span class="line"><span class="cl"><span class="c1"># Old DEKs re-encrypted: 45 / 100</span>
</span></span><span class="line"><span class="cl"><span class="c1"># New DEKs created: 45</span>
</span></span></code></pre></div><p>Online rotation process:</p>
<ol>
<li>New DEKs created with new MEK</li>
<li>Background process re-encrypts old DEKs with new MEK</li>
<li>Newly written data uses new DEKs</li>
<li>Old data gradually re-encrypted during maintenance windows</li>
<li>Rollback possible until 100% complete</li>
</ol>
<h4 id="hardware-security-module-hsm-integration" class="position-relative d-flex align-items-center group">
<span>Hardware Security Module (HSM) Integration</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="hardware-security-module-hsm-integration"
aria-haspopup="dialog"
aria-label="Share link: Hardware Security Module (HSM) Integration">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p>Use hardware-backed key storage for maximum security:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># geode.yaml with PKCS#11 HSM</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">security</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">encryption</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">enabled</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">algorithm</span><span class="p">:</span><span class="w"> </span><span class="l">aes-256-gcm</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">kms</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">provider</span><span class="p">:</span><span class="w"> </span><span class="l">pkcs11</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">library_path</span><span class="p">:</span><span class="w"> </span><span class="l">/usr/lib/softhsm/libsofthsm2.so</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">slot_id</span><span class="p">:</span><span class="w"> </span><span class="m">0</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">pin_file</span><span class="p">:</span><span class="w"> </span><span class="l">/secure/hsm_pin</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">key_label</span><span class="p">:</span><span class="w"> </span><span class="l">geode-master-encryption-key</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># HSM-specific settings</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">use_hsm_crypto</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span><span class="c"># Use HSM for encrypt/decrypt operations</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">cache_deks_in_hsm</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span><span class="c"># Store DEKs in HSM memory</span><span class="w">
</span></span></span></code></pre></div><p>Initialize HSM key:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Initialize HSM slot</span>
</span></span><span class="line"><span class="cl">softhsm2-util --init-token --slot <span class="m">0</span> --label <span class="s2">"geode-hsm"</span>
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="c1"># Generate master key in HSM</span>
</span></span><span class="line"><span class="cl">pkcs11-tool --module /usr/lib/softhsm/libsofthsm2.so <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --login --keypairgen --key-type AES:32 <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --label geode-master-encryption-key
</span></span></code></pre></div>
<h4 id="encryption-performance-optimization" class="position-relative d-flex align-items-center group">
<span>Encryption Performance Optimization</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="encryption-performance-optimization"
aria-haspopup="dialog"
aria-label="Share link: Encryption Performance Optimization">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p>Optimize TDE for your hardware:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># geode.yaml performance tuning</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">security</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">encryption</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">enabled</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">algorithm</span><span class="p">:</span><span class="w"> </span><span class="l">aes-256-gcm</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># Performance optimizations</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">use_aes_ni</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span><span class="c"># Use hardware AES acceleration</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">cache_deks</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">dek_cache_size_mb</span><span class="p">:</span><span class="w"> </span><span class="m">512</span><span class="w"> </span><span class="c"># Large cache for many tablespaces</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">dek_cache_ttl_seconds</span><span class="p">:</span><span class="w"> </span><span class="m">3600</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># Parallelization</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">encrypt_threads</span><span class="p">:</span><span class="w"> </span><span class="m">8</span><span class="w"> </span><span class="c"># Parallel encryption for writes</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">decrypt_threads</span><span class="p">:</span><span class="w"> </span><span class="m">16</span><span class="w"> </span><span class="c"># Parallel decryption for reads</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># Batching</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">encryption_batch_size</span><span class="p">:</span><span class="w"> </span><span class="m">128</span><span class="w"> </span><span class="c"># Pages to encrypt in batch</span><span class="w">
</span></span></span></code></pre></div><p>Benchmark configuration:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Test read performance with TDE</span>
</span></span><span class="line"><span class="cl">geode benchmark <span class="nb">read</span> <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --queries<span class="o">=</span><span class="m">1000000</span> <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --threads<span class="o">=</span><span class="m">32</span> <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --with-tde <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --output<span class="o">=</span>tde-read-results.json
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="c1"># Test write performance</span>
</span></span><span class="line"><span class="cl">geode benchmark write <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --inserts<span class="o">=</span><span class="m">1000000</span> <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --threads<span class="o">=</span><span class="m">32</span> <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --with-tde <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --output<span class="o">=</span>tde-write-results.json
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="c1"># Compare with non-encrypted baseline</span>
</span></span><span class="line"><span class="cl">geode benchmark <span class="nb">read</span> --queries<span class="o">=</span><span class="m">1000000</span> --threads<span class="o">=</span><span class="m">32</span> --without-tde
</span></span></code></pre></div><p>Typical results with AES-NI:</p>
<ul>
<li>Read overhead: 2-4%</li>
<li>Write overhead: 4-8%</li>
<li>CPU increase: 10-15%</li>
</ul>
<h4 id="compliance-audit-trail" class="position-relative d-flex align-items-center group">
<span>Compliance Audit Trail</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="compliance-audit-trail"
aria-haspopup="dialog"
aria-label="Share link: Compliance Audit Trail">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p>Generate TDE compliance reports:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Verify</span><span class="w"> </span><span class="py">encryption</span><span class="w"> </span><span class="py">status</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CALL</span><span class="w"> </span><span class="py">dbms</span><span class="err">.</span><span class="py">security</span><span class="err">.</span><span class="py">encryption</span><span class="err">.</span><span class="py">audit</span><span class="p">()</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">YIELD</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">tablespace</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">encrypted</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">algorithm</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">key_id</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">key_created_at</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">last_rotation</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">pages_encrypted</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">pages_total</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">encryption_percentage</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">RETURN</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">tablespace</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">encrypted</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">encryption_percentage</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">last_rotation</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">ORDER</span><span class="w"> </span><span class="py">BY</span><span class="w"> </span><span class="py">tablespace</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">List</span><span class="w"> </span><span class="py">all</span><span class="w"> </span><span class="py">encryption</span><span class="w"> </span><span class="py">keys</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CALL</span><span class="w"> </span><span class="py">dbms</span><span class="err">.</span><span class="py">security</span><span class="err">.</span><span class="py">encryption</span><span class="err">.</span><span class="py">listKeys</span><span class="p">()</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">YIELD</span><span class="w"> </span><span class="py">key_id</span><span class="p">,</span><span class="w"> </span><span class="py">algorithm</span><span class="p">,</span><span class="w"> </span><span class="py">created_at</span><span class="p">,</span><span class="w"> </span><span class="py">status</span><span class="p">,</span><span class="w"> </span><span class="py">usage_count</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">RETURN</span><span class="w"> </span><span class="py">key_id</span><span class="p">,</span><span class="w"> </span><span class="py">algorithm</span><span class="p">,</span><span class="w"> </span><span class="py">created_at</span><span class="p">,</span><span class="w"> </span><span class="py">status</span><span class="p">,</span><span class="w"> </span><span class="py">usage_count</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">ORDER</span><span class="w"> </span><span class="py">BY</span><span class="w"> </span><span class="py">created_at</span><span class="w"> </span><span class="py">DESC</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Check</span><span class="w"> </span><span class="py">key</span><span class="w"> </span><span class="py">access</span><span class="w"> </span><span class="py">logs</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">SELECT</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">timestamp</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">key_id</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">operation</span><span class="p">,</span><span class="w"> </span><span class="err">--</span><span class="w"> </span><span class="py">encrypt</span><span class="p">,</span><span class="w"> </span><span class="py">decrypt</span><span class="p">,</span><span class="w"> </span><span class="py">rotate</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">user_id</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">success</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">error_message</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">FROM</span><span class="w"> </span><span class="py">system</span><span class="err">.</span><span class="py">tde_audit</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WHERE</span><span class="w"> </span><span class="py">timestamp</span><span class="w"> </span><span class="err">></span><span class="w"> </span><span class="py">current_timestamp</span><span class="p">()</span><span class="w"> </span><span class="err">-</span><span class="w"> </span><span class="py">INTERVAL</span><span class="w"> </span><span class="err">'</span><span class="py">7</span><span class="w"> </span><span class="py">days</span><span class="err">'</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">ORDER</span><span class="w"> </span><span class="py">BY</span><span class="w"> </span><span class="py">timestamp</span><span class="w"> </span><span class="py">DESC</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div><p>Export for compliance reporting:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">generate_tde_compliance_report</span><span class="p">():</span>
</span></span><span class="line"><span class="cl"> <span class="s2">"""Generate quarterly TDE compliance report"""</span>
</span></span><span class="line"><span class="cl"> <span class="n">report</span> <span class="o">=</span> <span class="p">{</span>
</span></span><span class="line"><span class="cl"> <span class="s1">'period'</span><span class="p">:</span> <span class="sa">f</span><span class="s2">"Q</span><span class="si">{</span><span class="n">datetime</span><span class="o">.</span><span class="n">now</span><span class="p">()</span><span class="o">.</span><span class="n">quarter</span><span class="si">}</span><span class="s2"> </span><span class="si">{</span><span class="n">datetime</span><span class="o">.</span><span class="n">now</span><span class="p">()</span><span class="o">.</span><span class="n">year</span><span class="si">}</span><span class="s2">"</span><span class="p">,</span>
</span></span><span class="line"><span class="cl"> <span class="s1">'encryption_status'</span><span class="p">:</span> <span class="p">{},</span>
</span></span><span class="line"><span class="cl"> <span class="s1">'key_management'</span><span class="p">:</span> <span class="p">{},</span>
</span></span><span class="line"><span class="cl"> <span class="s1">'access_audit'</span><span class="p">:</span> <span class="p">{}</span>
</span></span><span class="line"><span class="cl"> <span class="p">}</span>
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"> <span class="c1"># Verify all data encrypted</span>
</span></span><span class="line"><span class="cl"> <span class="n">result</span> <span class="o">=</span> <span class="n">db</span><span class="o">.</span><span class="n">execute</span><span class="p">(</span><span class="s2">"""
</span></span></span><span class="line"><span class="cl"><span class="s2"> CALL dbms.security.encryption.audit()
</span></span></span><span class="line"><span class="cl"><span class="s2"> YIELD tablespace, encrypted, encryption_percentage
</span></span></span><span class="line"><span class="cl"><span class="s2"> RETURN tablespace, encrypted, encryption_percentage
</span></span></span><span class="line"><span class="cl"><span class="s2"> """</span><span class="p">)</span>
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"> <span class="n">report</span><span class="p">[</span><span class="s1">'encryption_status'</span><span class="p">]</span> <span class="o">=</span> <span class="p">{</span>
</span></span><span class="line"><span class="cl"> <span class="n">row</span><span class="p">[</span><span class="s1">'tablespace'</span><span class="p">]:</span> <span class="p">{</span>
</span></span><span class="line"><span class="cl"> <span class="s1">'encrypted'</span><span class="p">:</span> <span class="n">row</span><span class="p">[</span><span class="s1">'encrypted'</span><span class="p">],</span>
</span></span><span class="line"><span class="cl"> <span class="s1">'percentage'</span><span class="p">:</span> <span class="n">row</span><span class="p">[</span><span class="s1">'encryption_percentage'</span><span class="p">]</span>
</span></span><span class="line"><span class="cl"> <span class="p">}</span>
</span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="n">row</span> <span class="ow">in</span> <span class="n">result</span>
</span></span><span class="line"><span class="cl"> <span class="p">}</span>
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"> <span class="c1"># Verify key rotation compliance</span>
</span></span><span class="line"><span class="cl"> <span class="n">result</span> <span class="o">=</span> <span class="n">db</span><span class="o">.</span><span class="n">execute</span><span class="p">(</span><span class="s2">"""
</span></span></span><span class="line"><span class="cl"><span class="s2"> CALL dbms.security.encryption.listKeys()
</span></span></span><span class="line"><span class="cl"><span class="s2"> YIELD key_id, created_at, last_rotation
</span></span></span><span class="line"><span class="cl"><span class="s2"> RETURN key_id, created_at, last_rotation
</span></span></span><span class="line"><span class="cl"><span class="s2"> """</span><span class="p">)</span>
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="n">row</span> <span class="ow">in</span> <span class="n">result</span><span class="o">.</span><span class="n">rows</span><span class="p">:</span>
</span></span><span class="line"><span class="cl"> <span class="n">days_since_rotation</span> <span class="o">=</span> <span class="p">(</span><span class="n">datetime</span><span class="o">.</span><span class="n">now</span><span class="p">()</span> <span class="o">-</span> <span class="n">row</span><span class="p">[</span><span class="s1">'last_rotation'</span><span class="p">])</span><span class="o">.</span><span class="n">days</span>
</span></span><span class="line"><span class="cl"> <span class="n">report</span><span class="p">[</span><span class="s1">'key_management'</span><span class="p">][</span><span class="n">row</span><span class="p">[</span><span class="s1">'key_id'</span><span class="p">]]</span> <span class="o">=</span> <span class="p">{</span>
</span></span><span class="line"><span class="cl"> <span class="s1">'age_days'</span><span class="p">:</span> <span class="n">days_since_rotation</span><span class="p">,</span>
</span></span><span class="line"><span class="cl"> <span class="s1">'compliant'</span><span class="p">:</span> <span class="n">days_since_rotation</span> <span class="o"><</span> <span class="mi">365</span> <span class="c1"># Annual rotation required</span>
</span></span><span class="line"><span class="cl"> <span class="p">}</span>
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">report</span>
</span></span></code></pre></div>
<h4 id="crypto-shredding-for-data-deletion" class="position-relative d-flex align-items-center group">
<span>Crypto-Shredding for Data Deletion</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="crypto-shredding-for-data-deletion"
aria-haspopup="dialog"
aria-label="Share link: Crypto-Shredding for Data Deletion">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p>Implement cryptographic erasure for secure data deletion:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Delete</span><span class="w"> </span><span class="py">data</span><span class="w"> </span><span class="py">cryptographically</span><span class="w"> </span><span class="py">by</span><span class="w"> </span><span class="py">destroying</span><span class="w"> </span><span class="py">its</span><span class="w"> </span><span class="py">DEK</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CALL</span><span class="w"> </span><span class="py">dbms</span><span class="err">.</span><span class="py">security</span><span class="err">.</span><span class="py">cryptoShred</span><span class="p">(</span><span class="err">'</span><span class="py">tablespace_archived_2023</span><span class="err">'</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">YIELD</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">tablespace</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">dek_id</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">dek_destroyed</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">data_rendered_unrecoverable</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">timestamp</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">RETURN</span><span class="w"> </span><span class="err">*;</span><span class="w">
</span></span></span></code></pre></div><p>Crypto-shredding is faster than deleting billions of records and provides mathematical certainty that data is unrecoverable. Essential for GDPR “right to be forgotten” compliance.</p>
<h4 id="tde-disaster-recovery" class="position-relative d-flex align-items-center group">
<span>TDE Disaster Recovery</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="tde-disaster-recovery"
aria-haspopup="dialog"
aria-label="Share link: TDE Disaster Recovery">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p>Backup encryption keys securely:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Export MEK reference (NOT the key itself)</span>
</span></span><span class="line"><span class="cl">geode admin export-tde-config <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --output<span class="o">=</span>/backups/tde-config.json
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="c1"># Backup should contain:</span>
</span></span><span class="line"><span class="cl"><span class="c1"># - KMS key ARN/ID</span>
</span></span><span class="line"><span class="cl"><span class="c1"># - Algorithm configuration</span>
</span></span><span class="line"><span class="cl"><span class="c1"># - DEK metadata</span>
</span></span><span class="line"><span class="cl"><span class="c1"># NOT the actual encryption keys!</span>
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="c1"># Keys remain in KMS - disaster recovery restores access, not keys themselves</span>
</span></span></code></pre></div><p>Recover TDE-encrypted database:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Step 1: Restore database from backup</span>
</span></span><span class="line"><span class="cl">geode restore --backup<span class="o">=</span>/backups/geode-full-20260124.tar.gz
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="c1"># Step 2: Configure KMS access</span>
</span></span><span class="line"><span class="cl">geode admin configure-tde <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --kms-provider aws-kms <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --kms-key-id arn:aws:kms:us-east-1:123:key/abc-def
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="c1"># Step 3: Verify key access</span>
</span></span><span class="line"><span class="cl">geode admin test-tde-access
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="c1"># Step 4: Start database (auto-loads DEKs from KMS)</span>
</span></span><span class="line"><span class="cl">geode serve --data /var/lib/geode
</span></span></code></pre></div>
<h3 id="tde-monitoring-and-alerting" class="position-relative d-flex align-items-center group">
<span>TDE Monitoring and Alerting</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="tde-monitoring-and-alerting"
aria-haspopup="dialog"
aria-label="Share link: TDE Monitoring and Alerting">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3><p>Set up monitoring for encryption health:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># prometheus_rules.yml</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">groups</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">geode_tde</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">alert</span><span class="p">:</span><span class="w"> </span><span class="l">TDEKeyUnavailable</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">expr</span><span class="p">:</span><span class="w"> </span><span class="l">geode_tde_key_access_failures > 0</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">for</span><span class="p">:</span><span class="w"> </span><span class="l">5m</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">summary</span><span class="p">:</span><span class="w"> </span><span class="s2">"TDE encryption key unavailable"</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">alert</span><span class="p">:</span><span class="w"> </span><span class="l">TDEPerformanceDegradation</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">expr</span><span class="p">:</span><span class="w"> </span><span class="l">rate(geode_tde_decrypt_duration_seconds[5m]) > 0.01</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">for</span><span class="p">:</span><span class="w"> </span><span class="l">10m</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">summary</span><span class="p">:</span><span class="w"> </span><span class="s2">"TDE decryption taking longer than expected"</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">alert</span><span class="p">:</span><span class="w"> </span><span class="l">TDEKeyRotationOverdue</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">expr</span><span class="p">:</span><span class="w"> </span><span class="l">geode_tde_key_age_days > 365</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">summary</span><span class="p">:</span><span class="w"> </span><span class="s2">"TDE key rotation overdue (>365 days)"</span><span class="w">
</span></span></span></code></pre></div>
<h3 id="related-topics" class="position-relative d-flex align-items-center group">
<span>Related Topics</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="related-topics"
aria-haspopup="dialog"
aria-label="Share link: Related Topics">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3><ul>
<li><strong><a
href="/tags/fle/"
>Field-Level Encryption (FLE)</a>
</strong>: Encrypt specific sensitive fields</li>
<li><strong><a
href="/tags/security/"
>Security</a>
</strong>: Overall security features</li>
<li><strong><a
href="/tags/encryption/"
>Encryption</a>
</strong>: Encryption capabilities</li>
<li><strong><a
href="/tags/compliance/"
>Compliance</a>
</strong>: Regulatory compliance</li>
<li><strong><a
href="/tags/authentication/"
>Authentication</a>
</strong>: Access control</li>
<li><strong><a
href="/tags/audit-logging/"
>Audit Logging</a>
</strong>: Security audit trails</li>
<li><strong><a
href="/tags/backup/"
>Backup</a>
</strong>: Encrypted backup strategies</li>
</ul>
<h3 id="further-reading" class="position-relative d-flex align-items-center group">
<span>Further Reading</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="further-reading"
aria-haspopup="dialog"
aria-label="Share link: Further Reading">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3><ul>
<li><strong><a
href="/docs/security/"
>Security Guide</a>
</strong>: Complete security documentation</li>
<li><strong><a
href="/docs/security/kms-integration/"
>KMS Integration</a>
</strong>: Key management service integration</li>
<li><strong><a
href="/docs/query/performance-tuning/"
>Performance Tuning</a>
</strong>: TDE performance optimization</li>
<li><strong><a
href="/docs/operations/disaster-recovery/"
>Disaster Recovery</a>
</strong>: TDE-encrypted backup recovery</li>
</ul>
<p>Geode’s Transparent Data Encryption provides enterprise-grade protection for data at rest with minimal performance overhead and zero application changes—essential for regulated industries and security-conscious deployments.</p>
Tag
1 article
Tag: Transparent Data Encryption (TDE)
Explore Geode documentation tagged with tde. Learn about tde features, best practices, and implementation details.