# Security - [Securing MariaDB](/docs/server/security/securing-mariadb.md): Overview of security best practices for MariaDB, covering privilege separation, mandatory access control (SELinux), and vulnerability tracking. - [Running MariaDB as root](/docs/server/security/securing-mariadb/running-mariadbd-as-root.md): Understand the implications of running MariaDB Server as root. This section highlights security risks and provides guidance on configuring MariaDB Server to operate with less privileged user accounts. - [MariaDB on SELinux](/docs/server/security/securing-mariadb/selinux.md): Secure MariaDB Server with SELinux. This section guides you through configuring SELinux policies to enhance the security posture of your MariaDB deployments on Linux systems. - [Encryption](/docs/server/security/encryption.md): Enhance MariaDB Server security with encryption. This section covers data-at-rest and in-transit encryption, helping you protect sensitive information and meet compliance requirements. - [TLS and Cryptography Libraries](/docs/server/security/encryption/tls-and-cryptography-libraries-used-by-mariadb.md): Explains how MariaDB links to cryptography libraries (OpenSSL, wolfSSL, GnuTLS, Schannel) either statically or dynamically, and how to verify the active library and version. - [Data-in-Transit Encryption](/docs/server/security/encryption/data-in-transit-encryption.md): Secure MariaDB Server data in transit with encryption. This section covers configuring SSL/TLS to protect communication between clients and the database, ensuring confidentiality and integrity. - [Secure Connections Overview](/docs/server/security/encryption/data-in-transit-encryption/secure-connections-overview.md): Conceptual overview of data-in-transit encryption in MariaDB, discussing supported TLS libraries (OpenSSL, wolfSSL), protocol versions (tls\_version), and certificate verification. - [Securing Connections for Client and Server](/docs/server/security/encryption/data-in-transit-encryption/securing-connections-for-client-and-server.md): Complete MariaDB security guide. Complete resource for user management, access control, SSL/TLS encryption, and audit policies with comprehensive examples. - [Zero-Configuration SSL](/docs/server/security/encryption/data-in-transit-encryption/zero-configuration-ssl.md): MariaDB 11.4+ offers Zero-Configuration SSL, enabling automatic, MITM-secure encryption by default using passwords as a shared secret, eliminating the need for manual certificate management. - [Replication with Secure Connections](/docs/server/security/encryption/data-in-transit-encryption/replication-with-secure-connections.md): A guide to securing replication traffic between primary and replica servers, covering the use of CHANGE MASTER TO options (e.g., MASTER\_SSL) and mutual authentication. - [Enabling TLS on MariaDB Server](/docs/server/security/encryption/data-in-transit-encryption/data-in-transit-encryption-enabling-tls-on-mariadb-server.md): Step-by-step instructions for configuring MariaDB Server to use TLS by setting system variables like ssl\_cert, ssl\_key, and ssl\_ca in the configuration file. - [Certificate Creation with OpenSSL](/docs/server/security/encryption/data-in-transit-encryption/certificate-creation-with-openssl.md): Complete OpenSSL TLS certificate guide: generate CA key/cert and server key/CSR, sign X509 with openssl x509 -CA/-CAkey, and verify certificates. - [SSL/TLS System Variables](/docs/server/security/encryption/data-in-transit-encryption/ssltls-system-variables.md): Reference list of system variables related to TLS configuration, such as ssl\_cipher, ssl\_crl, and have\_ssl, used to manage and monitor encryption settings. - [Using TLSv1.3](/docs/server/security/encryption/data-in-transit-encryption/using-tlsv13.md): Information about TLSv1.3 support in MariaDB (available with OpenSSL 1.1.1+), noting that the ssl\_cipher variable does not affect TLSv1.3 cipher suites. - [Data-at-Rest Encryption](/docs/server/security/encryption/data-at-rest-encryption.md): Secure MariaDB Server data at rest with encryption. This section details how to protect your sensitive information stored on disk, ensuring data confidentiality and compliance. - [Data-at-Rest Encryption Overview](/docs/server/security/encryption/data-at-rest-encryption/data-at-rest-encryption-overview.md): Complete Data-at-Rest Encryption overview: InnoDB/Aria tablespace encryption, innodb\_encrypt\_log=1, encrypt\_tmp\_files=ON, and key plugin rotation. - [Managing Binary Log Encryption](/docs/server/security/encryption/data-at-rest-encryption/managing-binary-log-encryption.md) - [Disabling Data-at-Rest Encryption](/docs/server/security/encryption/data-at-rest-encryption/disabling-data-at-rest-encryption-for-standalone-servers.md): Guide to safely disabling data-at-rest encryption on a standalone server by systematically decrypting tables and logs. - [Why to Encrypt MariaDB Data](/docs/server/security/encryption/data-at-rest-encryption/why-encrypt-mariadb-data.md): Explains the importance of data-at-rest encryption for mitigating physical theft risks and meeting regulatory compliance standards such as GDPR, HIPAA, and PCI DSS. - [Aria Encryption](/docs/server/security/encryption/data-at-rest-encryption/aria-encryption.md): Learn about Aria encryption in MariaDB Server for data at rest. This section details how to encrypt Aria tablespaces, providing enhanced security for your stored data. - [Aria: Encryption Overview](/docs/server/security/encryption/data-at-rest-encryption/aria-encryption/aria-encryption-overview.md): Introduction to encrypting Aria tables, covering the necessary system variables (aria\_encrypt\_tables, encrypt\_tmp\_disk\_tables) and how to verify encryption status by inspecting data files. - [Aria: Enabling Encryption](/docs/server/security/encryption/data-at-rest-encryption/aria-encryption/aria-enabling-encryption.md): Step-by-step guide to enabling encryption for user-created and internal temporary Aria tables, including the requirement to manually rebuild existing tables using ALTER TABLE. - [Aria: Encryption Keys](/docs/server/security/encryption/data-at-rest-encryption/aria-encryption/aria-encryption-keys.md): Details how Aria manages encryption keys (using ID 1 for user tables and ID 2 for temporary tables) and notes limitations regarding key rotation and per-table key assignment. - [Aria: Disabling Encryption](/docs/server/security/encryption/data-at-rest-encryption/aria-encryption/aria-disabling-encryption.md): Instructions for safely disabling encryption on Aria tables, emphasizing the need to rebuild tables to an unencrypted state before removing key management plugins. - [InnoDB Encryption](/docs/server/security/encryption/data-at-rest-encryption/innodb-encryption.md): Learn about InnoDB encryption for data at rest. This section details how to encrypt InnoDB tablespaces, ensuring strong data security and compliance for your mission-critical applications. - [InnoDB: Encryption Overview](/docs/server/security/encryption/data-at-rest-encryption/innodb-encryption/innodb-encryption-overview.md): Introduction to InnoDB's encryption architecture, explaining how data is encrypted/decrypted during disk I/O, the role of the buffer pool (where data is unencrypted), and how to verify encryption stat - [InnoDB: Enabling Encryption](/docs/server/security/encryption/data-at-rest-encryption/innodb-encryption/innodb-enabling-encryption.md): Step-by-step guide to enabling encryption for InnoDB, covering the configuration of innodb\_encrypt\_tables for automatic encryption and the use of ENCRYPTED=YES table options for per-table encryption. - [InnoDB: Encryption Keys](/docs/server/security/encryption/data-at-rest-encryption/innodb-encryption/innodb-encryption-keys.md): How InnoDB manages encryption keys using 32-bit integer IDs, including the default key ID (innodb\_default\_encryption\_key\_id), assigning specific keys to tables, and the process of key rotation. - [InnoDB: Disabling Encryption](/docs/server/security/encryption/data-at-rest-encryption/innodb-encryption/disabling-innodb-encryption.md): Instructions for safely disabling encryption on InnoDB tables, emphasizing the critical need to decrypt all tablespaces and redo logs using background threads or ALTER TABLE. - [InnoDB: Background Encryption Threads](/docs/server/security/encryption/data-at-rest-encryption/innodb-encryption/innodb-background-encryption-threads.md): Details the operation of background threads (configured via innodb\_encryption\_threads) which handle key rotation, and the encryption/decryption of tablespaces when global settings. - [InnoDB: Encryption Troubleshooting](/docs/server/security/encryption/data-at-rest-encryption/innodb-encryption/innodb-encryption-troubleshooting.md): Solutions for common issues such as Error 1005 (Wrong create options) when configuring encryption, and handling cases where encryption key IDs are set for unencrypted tables. - [Key Management and Encryption Plugins](/docs/server/security/encryption/data-at-rest-encryption/key-management-and-encryption-plugins.md): Explore key management and encryption plugins for MariaDB Server. This section details how to manage encryption keys and leverage plugins for robust data-at-rest protection. - [Encryption Key Management](/docs/server/security/encryption/data-at-rest-encryption/key-management-and-encryption-plugins/encryption-key-management.md): Overview of key management in MariaDB, discussing the need for plugins to manage encryption keys, support for multiple keys (ID 1 for system, ID 2 for temp), and key rotation capabilities. - [File Key Management Encryption Plugin](/docs/server/security/encryption/data-at-rest-encryption/key-management-and-encryption-plugins/file-key-management-encryption-plugin.md): Details the File Key Management plugin, which reads encryption keys from a plain-text (or encrypted) file, serving as a simple solution or reference implementation for data-at-rest encryption. - [AWS Key Management Encryption Plugin](/docs/server/security/encryption/data-at-rest-encryption/key-management-and-encryption-plugins/aws-key-management-encryption-plugin.md): Introduction to the AWS Key Management plugin, which uses Amazon KMS to generate and store master keys, decrypting them at startup to enable data-at-rest encryption with key rotation support. - [Amazon Web Services (AWS) Key Management Service (KMS) Encryption Plugin Advanced Usage](/docs/server/security/encryption/data-at-rest-encryption/key-management-and-encryption-plugins/aws-key-management-encryption-plugin-advanced-usage.md): Step-by-step tutorial for setting up the AWS KMS plugin, covering the creation of a Customer Master Key (CMK) in AWS, configuring IAM roles for EC2, and installing the plugin from source. - [Amazon Web Services (AWS) Key Management Service (KMS) Encryption Plugin Setup Guide](/docs/server/security/encryption/data-at-rest-encryption/key-management-and-encryption-plugins/aws-key-management-encryption-plugin-setup-guide.md): Advanced configuration guide for the AWS KMS plugin, detailing how to secure key access using IAM policies, restrict usage by IP address, and implement Multi-Factor Authentication (MFA). - [Hashicorp Key Management Plugin](/docs/server/security/encryption/data-at-rest-encryption/key-management-and-encryption-plugins/hashicorp-key-management-plugin.md): Guide to using the HashiCorp Key Management plugin, which integrates MariaDB with HashiCorp Vault for centralized, secure key storage and lifecycle management. - [Uninstall Key Management Plugins](/docs/server/security/encryption/data-at-rest-encryption/key-management-and-encryption-plugins/uninstall-key-management-plugins.md): Final step of removing key management plugins from the configuration once all data and logs have been confirmed as unencrypted. - [User Account Management](/docs/server/security/user-account-management.md): Master user account management in MariaDB Server. This section covers creating, modifying, and revoking user privileges to ensure secure and controlled access to your databases. - [Roles](/docs/server/security/user-account-management/roles.md): Manage roles in MariaDB Server for streamlined user access control. This section explains how to create, assign, and manage roles to simplify privilege management and enhance security. - [Roles Overview](/docs/server/security/user-account-management/roles/roles_overview.md): Overview of Role-Based Access Control (RBAC) in MariaDB, which simplifies privilege management by allowing permissions to be grouped into roles and assigned to users. - [System Users, Roles, Privileges](/docs/server/security/user-account-management/roles/system-users-roles-and-privileges.md): Details default system users like mariadb.sys and the PUBLIC role, including their creation, purpose, and special management behaviors. - [Account Locking](/docs/server/security/user-account-management/account-locking.md): Explains how to lock and unlock user accounts using CREATE USER and ALTER USER statements to prevent login access without deleting the account. - [Authentication](/docs/server/security/user-account-management/authentication-from-mariadb-10-4.md): Details the authentication changes introduced in MariaDB 10.4, including multiple authentication plugins per user, the mysql.global\_priv table, and the default unix\_socket authentication for root. - [Incrementing of the access\_denied\_errors Status Variable](/docs/server/security/user-account-management/incrementing-of-the-access_denied_errors-status-variable.md): Describes the conditions that trigger the access\_denied\_errors status variable, such as failed logins, invalid privileges, or missing SSL requirements, aiding in security monitoring. - [User Password Expiry](/docs/server/security/user-account-management/user-password-expiry.md): Guide to configuring password expiration policies, including setting global lifetimes via default\_password\_lifetime or per-user limits, and handling expired password connections. - [Catalogs](/docs/server/security/user-account-management/catalogs.md): Introduction to Catalogs, a multi-tenancy feature for isolating database objects and users, planned for future MariaDB releases. - [Catalogs Overview](/docs/server/security/user-account-management/catalogs/catalogs-overview.md) - [Starting with Catalogs](/docs/server/security/user-account-management/catalogs/starting-with-catalogs.md): Guide to initializing a MariaDB server with catalog support using \`mariadb-install-db --catalogs\` and adding new catalogs to a running instance. - [Catalog-Specific Functions and Variables](/docs/server/security/user-account-management/catalogs/catalog-specific-functions-and-variables.md): Documents the catalog() function, which returns the current catalog name, and the @@catalogs system variable, which indicates if the server is configured for catalogs. - [Catalog Status Variables](/docs/server/security/user-account-management/catalogs/catalog-status-variables.md): Covers status variables related to catalog operations and performance, useful for monitoring multi-tenant environments. - [Connecting to a Server Configured for Catalogs](/docs/server/security/user-account-management/catalogs/connecting-to-a-server-configured-for-catalogs.md): Explains how to connect to a specific catalog using the --catalog client option or the catalog\_name.database\_name syntax. - [CREATE CATALOG](/docs/server/security/user-account-management/catalogs/create-catalog.md): Define external catalogs for data integration. This statement configures connections to remote storage systems, allowing query access to external data sources. - [SHOW CREATE CATALOG](/docs/server/security/user-account-management/catalogs/show-create-catalog.md): Reference for the SHOW CREATE CATALOG statement, which displays the SQL statement used to create a specific catalog. - [SHOW CATALOGS](/docs/server/security/user-account-management/catalogs/show-catalogs.md): Reference for the SHOW CATALOGS statement, which lists all available catalogs on the server. - [USE CATALOG](/docs/server/security/user-account-management/catalogs/use-catalog.md): Reference for the USE CATALOG statement, allowing a user to switch their current session's context to a different catalog. - [DROP CATALOG](/docs/server/security/user-account-management/catalogs/drop-catalog.md): Reference for the DROP CATALOG statement, used to remove a catalog and all its associated databases and users. - [Authentication with Enterprise Server](/docs/server/security/authentication-with-enterprise-server.md): Learn about authentication with MariaDB Enterprise Server. This section covers advanced authentication methods & plugins to enhance security and integrate with enterprise identity management systems. - [Authentication for MariaDB Enterprise Server](/docs/server/security/authentication-with-enterprise-server/authentication-for-mariadb-enterprise-server.md): Overview of user account authentication using plugins like pam or unix\_socket and managing security with password validation plugins. - [Authentication with gssapi](/docs/server/security/authentication-with-enterprise-server/authentication-with-gssapi.md): Instructions for installing and configuring the gssapi plugin to validate user credentials against services like Kerberos or NTLM. - [Limiting Size of Created Disk Temporary Files and Tables](/docs/server/security/limiting-size-of-created-disk-temporary-files-and-tables.md): The ability to limit the size of created disk temporary files and tables was introduced in MariaDB 11.5. - [Limiting Size of Created Disk Temporary Files and Tables Overview](/docs/server/security/limiting-size-of-created-disk-temporary-files-and-tables/limiting-size-of-created-disk-temporary-files-and-tables-overview.md): Overview of the feature introduced in MariaDB 11.5 to limit disk space used by temporary files and internal on-disk temporary tables to prevent disk exhaustion. - [max\_tmp\_session\_space\_usage System Variable](/docs/server/security/limiting-size-of-created-disk-temporary-files-and-tables/max_tmp_session_space_usage-system-variable.md): Documentation for the system variable that restricts the maximum total size of temporary files and tables allowed for an individual user session. - [max\_tmp\_total\_space\_usage System Variable](/docs/server/security/limiting-size-of-created-disk-temporary-files-and-tables/max_tmp_total_space_usage-system-variable.md): Reference for the global system variable that defines the maximum cumulative disk space all user connections can consume for temporary files and tables. - [Security Vulnerabilities (CVE) Fixed in MariaDB](/docs/server/security/cve.md): Lists of Security Vulnerabilities (CVE) fixed in MariaDB products. - [Security Vulnerabilities (CVE) Fixed in MariaDB Enterprise Server](/docs/server/security/cve/enterprise-server.md): This page contains a full list of CVE fixed in all versions and series of MariaDB Enterprise Server. - [Security Vulnerabilities (CVE) Fixed in MariaDB Community Server](/docs/server/security/cve/community-server.md): Full list of CVE fixed in all versions and series of MariaDB Community Server. - [Security Vulnerabilities (CVE) Fixed in Oracle MySQL That Did Not Exist in MariaDB](/docs/server/security/cve/security-vulnerabilities-in-oracle-mysql-that-did-not-exist-in-mariadb.md): Reference list of security vulnerabilities (CVEs) found in Oracle MySQL that do not affect MariaDB, helping administrators distinguish relevant threats.