Database
The tdx Volt offers built-in support for Sqlite database resources. This enables the creation of an arbitrary number of databases, each governed by the tdx Volt policy.
Encryption
As with the tdx Volt metadata store, database resources support encryption at rest. The key is derived from the tdx Volt root key, but can be configured.
Policy
The policy can be applied to database resources as either read or write permission to the entire database. Read permission enforces that only SELECT
statements can be executed on the database, whereas write permission permits execution of any SQL statement.
Data views enable the creation of a virtual table that is a subset of the data in the database. The policy can be applied to data views independently of the underlying database. This allows for fine-grained control over the data that can be accessed at both the row-level and the column-level.
Audit
Database resources can be configured to audit reads and/or writes.
Locks
Sqlite does not support multi-threaded/mult-process access very well, however the tdx Volt database API implementation essentially acts as a gatekeeper of the underlying database and as such is able to marshal access.
The implementation utilises the write-ahead logging mode of Sqlite, which supports unlimited concurrent ‘read’ clients along with a single ‘write’ client. The tdx Volt SQLite grpc server exposes this functionality through a simple protobuf interface.
In summary:
- The tdx Volt SQLite server supports multiple clients executing
SELECT
statements concurrently. - A
SELECT
statement will never block, even if a write statement is executing. - A single client can successfully execute any statement other than
SELECT
, (e.g.INSERT
,UPDATE
,DELETE
etc). - A non-
SELECT
statement will succeeed even if there are in-flightSELECT
statements running for other clients. - If two or more clients attempt to write concurrently, the server will block the clients until the write-lock is free and then complete each pending statement. This is an improvement over the standard SQLite interface, which will create an
SQL_BUSY
error in this scenario.
Stand-alone server
The tdx Volt core has built-in support for SQLite databases as described above. There is also a stand-alone version of the server available as a utility. This enables configurations whereby the database server is running on a different machine from the tdx Volt itself.
The **tdx Volt** offers clients the ability to register services for consumption by other clients and it is anticipated that support for other types of databases will be gradually increased as the need arises, both as built-in services and stand-alone servers.