基于TEE的新一代数据库加密系统

基于TEE的新一代数据库加密系统——安永数据库加密系统是基于芯片级密钥安全、可搜索加密(Searchable Encryption)、硬件可信执行环境 (Trusted Execution Environment) 等实现敏感数据加密存储的数据库防泄漏产品。系统支持使用国产加密算法SM4对敏感数据加密，支持列/表/库等不同细粒度的加密配置，可应用于关系型数据库的结构化数据加密，支持国产信创环境，有效满足各类用户的等保、分保测评、数据安全防护需求。 安永数据库加密系统，是业内领先基于TEE的数据加密产品，从密钥安全性、数据保密性两个层面大幅提升系统数据的安全性。一是通过芯片级硬件安全技术，对密钥生产、使用、保存进行全生命周期保护，避免明文暴露；二是基于信创底座安全优势，构建“密钥+数据”双重加密保护机制；三是基于自研工程化可搜索加密技术，创新解决数据全量加密后的索引难题。做到密钥不出安全域、无明文暴露、数据硬件隔离级安全，创新解决“拖库”难题。已被认定为安徽省新产品。

The next-generation Trusted Execution Environment (TEE)-based database encryption system, the EY Database Encryption System, is a database anti-leakage product that enables encrypted storage of sensitive data by adopting technologies such as chip-level key security, Searchable Encryption, and TEE. It supports encrypting sensitive data with the domestic SM4 encryption algorithm, provides fine-grained encryption configurations for different scopes including columns, tables and databases, can be applied to structured data encryption of relational databases, and is compatible with domestic information technology application innovation (Xinchuang) environments, effectively meeting the requirements of cybersecurity level protection assessment, classified security assessment and data security protection for various users. As an industry-leading TEE-based data encryption product, the EY Database Encryption System significantly improves the data security of the system from two dimensions: key security and data confidentiality. First, it leverages chip-level hardware security technology to protect the entire lifecycle of key generation, usage and storage, avoiding plaintext exposure; second, it constructs a dual encryption protection mechanism of "key + data" based on the security advantages of the Xinchuang infrastructure; third, based on the self-developed engineered searchable encryption technology, it innovatively resolves the indexing challenge after full data encryption. It achieves that keys never leave the security domain, no plaintext exposure, and data security at the hardware isolation level, and innovatively solves the "database dumping" problem. It has been recognized as a New Product of Anhui Province.