Database

The tdx Volt offers built-in support for Sqlite database resources. This enables the creation of an arbitrary number of databases, each governed by the tdx Volt policy.

Encryption

As with the tdx Volt metadata store, database resources support encryption at rest. The key is derived from the tdx Volt root key, but can be configured.

Policy

The policy can be applied to database resources as either read or write permission to the entire database. Read permission enforces that only SELECT statements can be executed on the database, whereas write permission permits execution of any SQL statement.

Audit

Database resources can be configured to audit reads and/or writes.

Locks

Sqlite does not support multi-threaded/mult-process access very well, however the tdx Volt database API implementation essentially acts as a gatekeeper of the underlying database and as such is able to marshal access.

The implementation utilises the write-ahead logging mode of Sqlite, which supports unlimited concurrent โ€˜readโ€™ clients along with a single โ€˜writeโ€™ client. The tdx Volt SQLite grpc server exposes this functionality through a simple protobuf interface.

In summary:

  • The tdx Volt SQLite server supports multiple clients executing SELECT statements concurrently.
  • A SELECT statement will never block, even if a write statement is executing.
  • A single client can successfully execute any statement other than SELECT, (e.g. INSERT, UPDATE, DELETE etc).
  • A non-SELECT statement will succeeed even if there are in-flight SELECT statements running for other clients.
  • If two or more clients attempt to write concurrently, the server will block the clients until the write-lock is free and then complete each pending statement. This is an improvement over the standard SQLite interface, which will create an SQL_BUSY error in this scenario.

Stand-alone server

The tdx Volt core has built-in support for SQLite databases as described above. There is also a stand-alone version of the server available as a utility. This enables configurations whereby the database server is running on a different machine from the tdx Volt itself.

The **tdx Volt** offers clients the ability to register services for consumption by other clients and it is anticipated that support for other types of databases will be gradually increased as the need arises, both as built-in services and stand-alone servers.