Privacy regulations such as the General Data Protection Regulation (GDPR) impose strict requirements on how personal data is stored, processed, and audited. While key-value stores (KVS) are widely used in latency-sensitive applications, their simple data model and untrusted cloud deployment environments make GDPR compliance particularly challenging. Existing approaches require invasive code modifications, impose high performance overheads, or overlook the integrity of compliance mechanisms themselves. This paper presents GDPRuler, a trusted middleware system that enables verifiable GDPR compliance for KVS on untrusted clouds without modifying their codebase. GDPRuler deploys a trusted GDPR monitor inside a Confidential Virtual Machine (CVM), which enforces GDPR policies, manages compliance metadata, and maintains tamper-evident audit logs. A declarative policy language translates core GDPR obligations into enforceable runtime rules. To ensure efficiency, GDPRuler encodes metadata compactly within KV records, builds dedicated metadata indexes for GDPR-specific queries, and logs only compliance-relevant events in a space-efficient format. We implement GDPRuler as a transparent proxy for unmodified Redis and RocksDB deployments. Evaluation with YCSB and GDPR-inspired workloads shows that GDPRuler enforces core compliance guarantees with low overheads: GDPRuler achieves ~61% of native KVS throughput with the CVM environment contributing 28%-32% of it, metadata storage overhead remains below 20%, and GDPR queries benefit from 13-182x speedup through metadata indexing. By embedding verifiable policy enforcement into a trusted middleware layer, GDPRuler offers a practical path toward GDPR-compliant KVS on untrusted cloud infrastructures.

翻译：隐私法规如《通用数据保护条例》（GDPR）对个人数据的存储、处理和审计提出了严格要求。尽管键值存储（KVS）广泛应用于延迟敏感型应用，但其简单的数据模型和不可信的云部署环境使得GDPR合规性尤为困难。现有方法需要侵入式代码修改、引入高额性能开销，或忽视合规机制本身的完整性。本文提出GDPRuler——一种可信中间件系统，可在不修改代码的前提下，为不可信云环境中的KVS实现可验证的GDPR合规性。GDPRuler在机密虚拟机（CVM）内部署可信的GDPR监控器，负责执行GDPR策略、管理合规元数据并维护防篡改审计日志。通过声明式策略语言将核心GDPR义务转化为可执行的运行时规则。为确保效率，GDPRuler将元数据紧凑编码至KV记录中，为GDPR特定查询构建专用元数据索引，并以空间高效格式仅记录合规相关事件。我们以透明代理形式实现GDPRuler，支持未修改的Redis和RocksDB部署。基于YCSB和GDPR模拟负载的评估表明，GDPRuler以低开销实现核心合规保障：吞吐量达到原生KVS的约61%（其中CVM环境贡献28%-32%），元数据存储开销低于20%，通过元数据索引使GDPR查询加速13-182倍。通过将可验证策略执行嵌入可信中间件层，GDPRuler为在不可信云基础设施中实现GDPR合规的KVS提供了实用路径。