# Encryption

MariaDB's security architecture distinguishes between data moving across the network (Data-in-Transit) and data stored on disk (Data-at-Rest).

{% columns %}
{% column %}
{% content-ref url="/pages/TSTltR9Dzy0YuipOVvVK" %}
[TLS and Cryptography Libraries](/docs/server/security/encryption/tls-and-cryptography-libraries-used-by-mariadb.md)
{% endcontent-ref %}
{% endcolumn %}

{% column %}
MariaDB links to cryptography libraries (OpenSSL, wolfSSL, GnuTLS, Schannel) either statically or dynamically. How to verify the active library and version.
{% endcolumn %}
{% endcolumns %}

{% columns %}
{% column %}
{% content-ref url="/pages/DfsqBRazU61QxgbpCyVO" %}
[Data-in-Transit Encryption](/docs/server/security/encryption/data-in-transit-encryption.md)
{% endcontent-ref %}
{% endcolumn %}

{% column %}
**Data-in-Transit Encryption**

* Protects credentials and query results from "man-in-the-middle" attacks during client-server communication.
* Uses the TLS protocol. It handles the handshake, identity verification, and encryption of the network stream.
* Utilizes Asymmetric Key Pairs (Public/Private keys) and Certificates (PEM/CRT files) managed by libraries like OpenSSL.
* Defined in the `[mariadb]` section using `ssl_cert`, `ssl_key`, and `ssl_ca`.
  {% endcolumn %}
  {% endcolumns %}

{% columns %}
{% column %}
{% content-ref url="/pages/VUPEqb8RGR7dX9Nxd0pN" %}
[Data-at-Rest Encryption](/docs/server/security/encryption/data-at-rest-encryption.md)
{% endcontent-ref %}
{% endcolumn %}

{% column %}
**Data-at-Rest Encryption**

* Protects physical data files (InnoDB/Aria tables, Redo logs, and Binary logs) if the storage media or backups are stolen.
* Uses Symmetric Encryption (typically AES) managed by specialized Key Management Plugins.
* Uses Symmetric Keys identified by a `Key ID`. These are fetched from a local file, AWS KMS, or HashiCorp Vault.
* Enabled via variables like `innodb_encrypt_tables` and requires a specific plugin (e.g., `file_key_management`) to be loaded.
  {% endcolumn %}
  {% endcolumns %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://mariadb.com/docs/server/security/encryption.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.