Sign inTry Free

Securing Data at Rest with IBM Guardium Data Encryption

On this page

This topic describes how to secure data on persistent storage (data at rest) in SingleStore with IBM Guardium Data Encryption. This configuration allows you to protect all SingleStore information, including data files, backups, and logs from unauthorized access, including by unauthorized administrative users. The process is also known as Transparent Database Encryption or TDE.

IBM Guardium Data Encryption encrypts all protected SingleStore data with strong encryption. If the encrypted data is obtained in any way by someone without keys to access it, it will be useless. Even the root user on the Linux system running SingleStore can be prevented from accessing the information directly via the files where it is stored, even if they impersonate a user with access by using sudo. Keys can also be revoked to render data inaccessible.

Getting Started

The certification matrix below shows the versions supported for SingleStore and Guardium Data Encryption:

Certification Matrix

Versions

IBM Guardium Data Encryption

4.0.0.0

SingleStore

7.1.x, 7.3.x or later

Certified OS

RHEL/CentOS 6 or 7 (version 7 is preferred), Debian 8 or 9 (version 9 is preferred)

Process Overview

IBM Guardium Data Encryption is the same product as Thales CipherTrust Transparent Encryption (CTE), formerly known as Vormetric Transparent Encryption (VTE). IBM resells it under the Guardium name. To use IBM Guardium Data Encryption to secure data on persistent storage, follow the process described here for CTE/VTE. IBM Guardium Data Encryption documentation is available here. That documentation also describes the version numbers of CTE/VTE corresponding to each Guardium version.

Last modified: November 28, 2022

Was this article helpful?

On this page

Was this article helpful?

Verification instructions

Note: You must install cosign to verify the authenticity of the SingleStore file.

Use the following steps to verify the authenticity of singlestoredb-server, singlestoredb-toolbox, singlestoredb-studio, and singlestore-client SingleStore files that have been downloaded.

You may perform the following steps on any computer that can run cosign, such as the main deployment host of the cluster.

  1. (Optional) Run the following command to view the associated signature files.

    curl undefined

  2. Download the signature file from the SingleStore release server.

    • Option 1: Click the Download Signature button next to the SingleStore file.

    • Option 2: Copy and paste the following URL into the address bar of your browser and save the signature file.

    • Option 3: Run the following command to download the signature file.

      curl -O undefined

  3. After the signature file has been downloaded, run the following command to verify the authenticity of the SingleStore file.

    echo -n undefined |
        cosign verify-blob --certificate-oidc-issuer https://oidc.eks.us-east-1.amazonaws.com/id/CCDCDBA1379A5596AB5B2E46DCA385BC \
          --certificate-identity https://kubernetes.io/namespaces/freya-production/serviceaccounts/job-worker \
          --bundle undefined \
          --new-bundle-format -
    Verified OK