From 805a462d7d001d958905e530132a422d8cfb8ebd Mon Sep 17 00:00:00 2001 From: Xiaoguang Sun Date: Sat, 20 Dec 2025 12:55:05 +0800 Subject: [PATCH 1/9] Add explanation to dual-layer encryption Signed-off-by: Xiaoguang Sun --- tidb-cloud/security-concepts.md | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/tidb-cloud/security-concepts.md b/tidb-cloud/security-concepts.md index c4da4ca74e275..dd52d0fc448cb 100644 --- a/tidb-cloud/security-concepts.md +++ b/tidb-cloud/security-concepts.md @@ -221,6 +221,18 @@ TiDB Cloud safeguards static data with advanced encryption capabilities, ensurin - For TiDB Cloud Dedicated clusters without CMEK, TiDB Cloud uses escrow keys; {{{ .starter }}} and {{{ .essential }}} clusters rely exclusively on escrow keys. +**Dual-layer Encryption** + +- Dual-layer encryption is where two or more independent layers of encryption are enabled to protect against compromises of any one layer of encryption. Using two layers of encryption mitigates threats that come with encrypting data. + +- All persisted data is encrypted-at-rest using the tool of the cloud provider that your cluster is running in. + +- With dual-layer encryption enabled, data is automatically encrypted at rest using CMEK or escrow keys. + +- Dual-layer encryption is disabled by default for {{{ .starter }}} clusters and enabled by default for {{{ .essential }}} clusters. + +- Dual-layer encryption is mandatory for TiDB Cloud Dedicated clusters. + **Best practices:** - Regularly rotate CMEK keys to enhance security and meet compliance standards. @@ -255,4 +267,4 @@ Records detailed database operations, including executed SQL statements and user - Use logs for compliance reporting and forensic analysis. -For more information, see [Console Audit Logging](/tidb-cloud/tidb-cloud-console-auditing.md) and [Database Audit Logging](/tidb-cloud/tidb-cloud-auditing.md). \ No newline at end of file +For more information, see [Console Audit Logging](/tidb-cloud/tidb-cloud-console-auditing.md) and [Database Audit Logging](/tidb-cloud/tidb-cloud-auditing.md). From 2ba2b739c2c524af0c81a4109e1276b5fb0ba670 Mon Sep 17 00:00:00 2001 From: Xiaoguang Sun Date: Sat, 20 Dec 2025 12:57:19 +0800 Subject: [PATCH 2/9] Update tidb-cloud/security-concepts.md Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> --- tidb-cloud/security-concepts.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tidb-cloud/security-concepts.md b/tidb-cloud/security-concepts.md index dd52d0fc448cb..ebec7e11ceec9 100644 --- a/tidb-cloud/security-concepts.md +++ b/tidb-cloud/security-concepts.md @@ -221,7 +221,7 @@ TiDB Cloud safeguards static data with advanced encryption capabilities, ensurin - For TiDB Cloud Dedicated clusters without CMEK, TiDB Cloud uses escrow keys; {{{ .starter }}} and {{{ .essential }}} clusters rely exclusively on escrow keys. -**Dual-layer Encryption** +**Dual-layer encryption** - Dual-layer encryption is where two or more independent layers of encryption are enabled to protect against compromises of any one layer of encryption. Using two layers of encryption mitigates threats that come with encrypting data. From 33f66167add3d0a366e87957d89236fc50362b52 Mon Sep 17 00:00:00 2001 From: Xiaoguang Sun Date: Sat, 20 Dec 2025 12:57:42 +0800 Subject: [PATCH 3/9] Update tidb-cloud/security-concepts.md Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> --- tidb-cloud/security-concepts.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tidb-cloud/security-concepts.md b/tidb-cloud/security-concepts.md index ebec7e11ceec9..3aa7aceec08ac 100644 --- a/tidb-cloud/security-concepts.md +++ b/tidb-cloud/security-concepts.md @@ -223,7 +223,7 @@ TiDB Cloud safeguards static data with advanced encryption capabilities, ensurin **Dual-layer encryption** -- Dual-layer encryption is where two or more independent layers of encryption are enabled to protect against compromises of any one layer of encryption. Using two layers of encryption mitigates threats that come with encrypting data. +- Dual-layer encryption protects data with two or more independent layers of encryption. This method provides enhanced security by protecting against the compromise of any single encryption layer. - All persisted data is encrypted-at-rest using the tool of the cloud provider that your cluster is running in. From 3f75ac533f3d2df8ca2e1424324acfe96f735a71 Mon Sep 17 00:00:00 2001 From: Lilian Lee Date: Mon, 22 Dec 2025 11:23:40 +0800 Subject: [PATCH 4/9] Apply suggestions from code review Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> --- tidb-cloud/security-concepts.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tidb-cloud/security-concepts.md b/tidb-cloud/security-concepts.md index 3aa7aceec08ac..56ef03da04ac3 100644 --- a/tidb-cloud/security-concepts.md +++ b/tidb-cloud/security-concepts.md @@ -225,9 +225,9 @@ TiDB Cloud safeguards static data with advanced encryption capabilities, ensurin - Dual-layer encryption protects data with two or more independent layers of encryption. This method provides enhanced security by protecting against the compromise of any single encryption layer. -- All persisted data is encrypted-at-rest using the tool of the cloud provider that your cluster is running in. +- The cloud provider where your cluster is running encrypts all persisted data at rest using its native tools. -- With dual-layer encryption enabled, data is automatically encrypted at rest using CMEK or escrow keys. +- With dual-layer encryption enabled, TiDB Cloud adds a second layer of security by automatically encrypting data at rest using either CMEK or escrow keys. - Dual-layer encryption is disabled by default for {{{ .starter }}} clusters and enabled by default for {{{ .essential }}} clusters. From f93414809584c2c07d658ea728ddd96621a6a269 Mon Sep 17 00:00:00 2001 From: Lilian Lee Date: Tue, 3 Feb 2026 15:23:58 +0800 Subject: [PATCH 5/9] Apply suggestions from code review --- tidb-cloud/security-concepts.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tidb-cloud/security-concepts.md b/tidb-cloud/security-concepts.md index 56ef03da04ac3..ad016f82e3668 100644 --- a/tidb-cloud/security-concepts.md +++ b/tidb-cloud/security-concepts.md @@ -223,7 +223,7 @@ TiDB Cloud safeguards static data with advanced encryption capabilities, ensurin **Dual-layer encryption** -- Dual-layer encryption protects data with two or more independent layers of encryption. This method provides enhanced security by protecting against the compromise of any single encryption layer. +- Dual-layer encryption protects data with two independent layers of encryption. This method provides enhanced security by protecting against the compromise of any single encryption layer. - The cloud provider where your cluster is running encrypts all persisted data at rest using its native tools. From acd0e885bbdec9b71e17e435d690ea699ce25803 Mon Sep 17 00:00:00 2001 From: Lilian Lee Date: Tue, 3 Feb 2026 15:24:53 +0800 Subject: [PATCH 6/9] Apply suggestions from code review --- tidb-cloud/security-concepts.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tidb-cloud/security-concepts.md b/tidb-cloud/security-concepts.md index ad016f82e3668..b6a9d377059ee 100644 --- a/tidb-cloud/security-concepts.md +++ b/tidb-cloud/security-concepts.md @@ -231,7 +231,7 @@ TiDB Cloud safeguards static data with advanced encryption capabilities, ensurin - Dual-layer encryption is disabled by default for {{{ .starter }}} clusters and enabled by default for {{{ .essential }}} clusters. -- Dual-layer encryption is mandatory for TiDB Cloud Dedicated clusters. +- Dual-layer encryption is enabled by default for all TiDB Cloud Dedicated clusters and cannot be disabled. **Best practices:** From e7eb792dadbe14ee2284cebecdfd0906a00c3d12 Mon Sep 17 00:00:00 2001 From: Lilian Lee Date: Tue, 3 Feb 2026 15:34:05 +0800 Subject: [PATCH 7/9] Update wording --- tidb-cloud/security-concepts.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tidb-cloud/security-concepts.md b/tidb-cloud/security-concepts.md index b6a9d377059ee..2eeea35d5b1c6 100644 --- a/tidb-cloud/security-concepts.md +++ b/tidb-cloud/security-concepts.md @@ -225,13 +225,13 @@ TiDB Cloud safeguards static data with advanced encryption capabilities, ensurin - Dual-layer encryption protects data with two independent layers of encryption. This method provides enhanced security by protecting against the compromise of any single encryption layer. -- The cloud provider where your cluster is running encrypts all persisted data at rest using its native tools. +- The cloud provider where your cluster is running encrypts all persisted data at rest using its native storage-level encryption mechanisms. -- With dual-layer encryption enabled, TiDB Cloud adds a second layer of security by automatically encrypting data at rest using either CMEK or escrow keys. +- On top of the cloud provider's encryption, TiDB Cloud adds a second encryption layer by automatically encrypting data at rest using either customer-managed encryption keys (CMEK) or escrow keys. -- Dual-layer encryption is disabled by default for {{{ .starter }}} clusters and enabled by default for {{{ .essential }}} clusters. +- Dual-layer encryption is **disabled** by default for {{{ .starter }}} clusters and **enabled** by default for {{{ .essential }}} clusters. -- Dual-layer encryption is enabled by default for all TiDB Cloud Dedicated clusters and cannot be disabled. +- Dual-layer encryption is **enabled** by default for all TiDB Cloud Dedicated clusters and cannot be disabled. **Best practices:** From cffee46ff2138f3166f6c60c7e8ff772d7734e1e Mon Sep 17 00:00:00 2001 From: Lilian Lee Date: Tue, 3 Feb 2026 15:47:38 +0800 Subject: [PATCH 8/9] Update wording --- tidb-cloud/security-concepts.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tidb-cloud/security-concepts.md b/tidb-cloud/security-concepts.md index 2eeea35d5b1c6..b70aa0b1f05ec 100644 --- a/tidb-cloud/security-concepts.md +++ b/tidb-cloud/security-concepts.md @@ -231,7 +231,7 @@ TiDB Cloud safeguards static data with advanced encryption capabilities, ensurin - Dual-layer encryption is **disabled** by default for {{{ .starter }}} clusters and **enabled** by default for {{{ .essential }}} clusters. -- Dual-layer encryption is **enabled** by default for all TiDB Cloud Dedicated clusters and cannot be disabled. +- Dual-layer encryption is **enabled** by default for TiDB Cloud Dedicated clusters and cannot be disabled. **Best practices:** From b23e8702e99b44c52e61a73da8b85d91578ea8f0 Mon Sep 17 00:00:00 2001 From: Lilian Lee Date: Tue, 3 Feb 2026 16:05:41 +0800 Subject: [PATCH 9/9] Refine dedicated wording --- tidb-cloud/security-concepts.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tidb-cloud/security-concepts.md b/tidb-cloud/security-concepts.md index b70aa0b1f05ec..bc0d303a87b15 100644 --- a/tidb-cloud/security-concepts.md +++ b/tidb-cloud/security-concepts.md @@ -231,7 +231,7 @@ TiDB Cloud safeguards static data with advanced encryption capabilities, ensurin - Dual-layer encryption is **disabled** by default for {{{ .starter }}} clusters and **enabled** by default for {{{ .essential }}} clusters. -- Dual-layer encryption is **enabled** by default for TiDB Cloud Dedicated clusters and cannot be disabled. +- {{{ .dedicated }}} clusters **always use** dual-layer encryption. If CMEK is not enabled, TiDB Cloud uses an escrow key to encrypt all data in your cluster at rest. **Best practices:**