DEV Community

Michael
Michael

Posted on • Originally published at gbase.cn

SM4 Storage Encryption in GBase 8a: Table/Column Scope and Performance Impact

#gbase #database #数据库 #performance

GBase 8a supports transparent storage encryption with the SM4 national cipher. You can encrypt at table level or column level. Enabling it on existing data requires a migration, and it adds a controlled CPU overhead to queries.

Encryption Granularity

  • Table‑level: encrypts all columns. 
  CREATE TABLE t1 (a INT, b VARCHAR(10)) ENCRYPT;
Enter fullscreen mode Exit fullscreen mode
  • Column‑level: encrypts only the sensitive columns you specify. 
  CREATE TABLE t2 (a INT, b VARCHAR(10) ENCRYPT, c DATE);
Enter fullscreen mode Exit fullscreen mode

Once set, the encryption attribute cannot be changed via ALTER TABLE. The algorithm is chosen with the _gbase_encrypt_new_mode parameter — 1 for AES (default) or 2 for SM4 — and cannot be switched after encrypted data exists.

Impact on Existing Data

You cannot encrypt an existing table in place. You must create a new table with the ENCRYPT keyword and migrate data with INSERT ... SELECT. This involves a full table read, encryption computation, and write, which can be heavy on disk I/O and CPU for large tables. Schedule such migrations during off‑peak hours in your gbase database.

Impact on Query Performance

Encrypted tables add continuous encryption/decryption overhead to reads and writes:

  • Write path: data → compress → encrypt → store
  • Read path: store → decrypt → decompress → data

The overhead is CPU‑bound. GBASE engineers target <5% overall performance impact. Queries that only touch non‑encrypted columns see no overhead. CPUs with AES‑NI instruction sets significantly accelerate the operations. Encrypted tables cannot use DBLINK, and with cipher‑text keys, transactional access is prohibited.

Key Management

  • Plain‑text keys: automatically generated, no password required — encryption is transparent to users.
  • Cipher‑text keys: protected by a user password. You must open the certificate with ALTER ENCRYPTION CERTIFICATE OPEN IDENTIFIED BY 'password' before accessing encrypted tables; DML fails once closed.

Recommendations

Encrypt only truly sensitive columns to limit performance impact. Create new tables as encrypted from the start. Use encryption‑accelerated CPUs and monitor CPU usage. Avoid full scans on encrypted columns. Weigh the convenience of plain‑text keys against the security of cipher‑text keys based on your threat model.

Top comments (0)