# Data-at-Rest Encryption Overview

## Overview

Having tables encrypted makes it almost impossible for someone to access or steal a hard disk and get access to the original data. This functionality is also known as *Transparent Data Encryption* (TDE).

{% hint style="warning" %}
All of the following assumes that encryption keys are stored on another system.
{% endhint %}

{% hint style="info" %}
Using encryption has an overhead of roughly *3-5%*.
{% endhint %}

## Encryption and Decryption Lifecycle

MariaDB performs data-at-rest encryption at specific points during disk I/O operations. When data is written to disk, encryption usually takes place; when data is read back into memory, decryption takes place. Data stored in memory (for example, in buffer pools) is often decrypted while in use.

## Which Storage Engines Does MariaDB Encryption Support?

MariaDB encryption is fully supported for the [InnoDB](https://mariadb.com/docs/server/server-usage/storage-engines/innodb) storage engines. Encryption is also supported for the Aria storage engine, but only for tables created with `ROW_FORMAT=PAGE` (the default), and for the binary log (replication log).

MariaDB allows the user to configure flexibly what to encrypt. In or InnoDB, one can choose to encrypt:

* everything — all tablespaces (with all tables) (with [innodb\_encrypt\_tables=1](https://mariadb.com/docs/server/server-usage/storage-engines/innodb/innodb-system-variables#innodb_encrypt_tables))
* individual tables
* everything, excluding individual tables

Additionally, one can choose to encrypt InnoDB log files (recommended, with [innodb\_encrypt\_log=1](https://mariadb.com/docs/server/server-usage/storage-engines/innodb/innodb-system-variables#innodb_encrypt_log)) and InnoDB Temporary Tables (with [innodb\_encrypt\_temporary\_tables=1](https://mariadb.com/docs/server/server-usage/storage-engines/innodb/innodb-system-variables#innodb_encrypt_temporary_tables)).

When [innodb\_encrypt\_log=1](https://mariadb.com/docs/server/server-usage/storage-engines/innodb/innodb-system-variables#innodb_encrypt_log) or [innodb\_encrypt\_temporary\_tables=1](https://mariadb.com/docs/server/server-usage/storage-engines/innodb/innodb-system-variables#innodb_encrypt_temporary_tables) an encryption key of 1 must be defined. See [Enabling InnoDB Encryption](https://mariadb.com/docs/server/security/encryption/data-at-rest-encryption/innodb-encryption/innodb-enabling-encryption).

## Limitations

These limitations exist in the data-at-rest encryption implementation:

* Only data and only at rest is encrypted. Metadata (for example `.frm` files) and data sent to the client are not encrypted (but see [Secure Connections](https://mariadb.com/docs/server/security/encryption/data-in-transit-encryption)).
* Only the MariaDB server knows how to decrypt the data, in particular
  * [mariadb-binlog](https://mariadb.com/docs/server/clients-and-utilities/logging-tools/mariadb-binlog) can read encrypted binary logs only when --read-from-remote-server is used ([MDEV-8813](https://jira.mariadb.org/browse/MDEV-8813)).
  * [Percona XtraBackup](https://mariadb.com/docs/server/clients-and-utilities/legacy-clients-and-utilities/backing-up-and-restoring-databases-percona-xtrabackup/percona-xtrabackup-overview) cannot back up instances that use encrypted InnoDB. However, MariaDB's fork, [MariaDB Backup](https://mariadb.com/docs/server/server-usage/backup-and-restore/mariadb-backup), can back up encrypted instances.
* The [Audit plugin](https://mariadb.com/docs/server/reference/plugins/mariadb-audit-plugin) cannot create encrypted output. Send it to syslog and configure the protection there instead.
* File-based [general query log](https://mariadb.com/docs/server/server-management/server-monitoring-logs/general-query-log) and [slow query log](https://mariadb.com/docs/server/server-management/server-monitoring-logs/slow-query-log) cannot be encrypted ([MDEV-9639](https://jira.mariadb.org/browse/MDEV-9639)).
* The Aria log is not encrypted ([MDEV-8587](https://jira.mariadb.org/browse/MDEV-8587)). This affects only non-temporary Aria tables though.
* The MariaDB [error log](https://mariadb.com/docs/server/server-management/server-monitoring-logs/error-log) is not encrypted. The error log can contain query text and data in some cases, including crashes, assertion failures, and cases where InnoDB write monitor output to the log to aid in debugging. It can sent to syslog too, if needed.

## Encryption Key Management

MariaDB's data-at-rest encryption requires the use of a [key management and encryption plugin](https://mariadb.com/docs/server/security/encryption/data-at-rest-encryption/key-management-and-encryption-plugins/encryption-key-management). These plugins are responsible both for the management of encryption keys and for the actual encryption and decryption of data.

MariaDB supports the use of [multiple encryption keys](https://mariadb.com/docs/server/security/encryption/key-management-and-encryption-plugins/encryption-key-management#using-multiple-encryption-keys). Each encryption key uses a 32-bit integer as a key identifier. If the specific plugin supports [key rotation](https://mariadb.com/docs/server/security/encryption/key-management-and-encryption-plugins/encryption-key-management#rotating-keys), then encryption keys can also be rotated, which creates a new version of the encryption key.

How MariaDB manages encryption keys depends on which encryption key management solution you choose. Currently, MariaDB has three options:

* [File Key Management Plugin](https://mariadb.com/docs/server/security/encryption/data-at-rest-encryption/key-management-and-encryption-plugins/file-key-management-encryption-plugin)
* [AWS Key Management Plugin](https://mariadb.com/docs/server/security/encryption/data-at-rest-encryption/key-management-and-encryption-plugins/aws-key-management-encryption-plugin)
* [Hashicorp Key Management Plugin](https://mariadb.com/docs/server/security/encryption/data-at-rest-encryption/key-management-and-encryption-plugins/hashicorp-key-management-plugin)

Once you have an key management and encryption plugin set up and configured for your server, you can begin using encryption options to better secure your data.

## Encrypting Data

Encryption occurs whenever MariaDB writes pages to disk. Encrypting table data requires that you install a [key management and encryption plugin](https://mariadb.com/docs/server/security/encryption/data-at-rest-encryption/key-management-and-encryption-plugins/encryption-key-management), such as the [File Key Management](https://mariadb.com/docs/server/security/encryption/data-at-rest-encryption/key-management-and-encryption-plugins/file-key-management-encryption-plugin) plugin. Once you have a plugin set up and configured, you can enable encryption for your InnoDB and Aria tables.

### Encrypting Table Data

MariaDB supports data-at-rest encryption for InnoDB and Aria storage engines. Additionally, it supports encrypting the [InnoDB redo log](https://mariadb.com/docs/server/server-usage/storage-engines/innodb/innodb-redo-log) and internal on-disk temporary tables that use the Aria storage engine..

* [Encrypting Data for InnoDB](https://mariadb.com/docs/server/security/encryption/data-at-rest-encryption/innodb-encryption/innodb-encryption-overview)
* [Encrypting Data for Aria](https://mariadb.com/docs/server/security/encryption/data-at-rest-encryption/aria-encryption/aria-encryption-overview)

### Encrypting Temporary Files

MariaDB also creates temporary files on disk. For example, a binary log cache will be written to a temporary file if the binary log cache exceeds [binlog\_cache\_size](https://mariadb.com/docs/server/ha-and-performance/standard-replication/replication-and-binary-log-system-variables#binlog_cache_size) or [binlog\_stmt\_cache\_size](https://mariadb.com/docs/server/ha-and-performance/standard-replication/replication-and-binary-log-system-variables#binlog_stmt_cache_size), and temporary files are also often used for filesorts during query execution. These temporary files can also be encrypted if [encrypt\_tmp\_files=ON](https://mariadb.com/docs/server/server-management/variables-and-modes/server-system-variables#encrypt_tmp_files) is set.

Temporary files created internally by InnoDB, such as those used for merge sorts and row logs can also be encrypted if [innodb\_encrypt\_log=ON](https://mariadb.com/docs/server/server-usage/storage-engines/innodb/innodb-system-variables) is set. These files are encrypted regardless of whether the tables involved are encrypted or not, and regardless of whether [encrypt\_tmp\_files](https://mariadb.com/docs/server/server-management/variables-and-modes/server-system-variables#encrypt_tmp_files) is set or not.

### Encrypting Binary Logs

MariaDB can also encrypt [binary logs](https://mariadb.com/docs/server/server-management/server-monitoring-logs/binary-log) (including [relay logs](https://mariadb.com/docs/server/server-management/server-monitoring-logs/binary-log/relay-log)). See [Encrypting Binary Logs](https://mariadb.com/docs/server/security/encryption/data-at-rest-encryption/managing-binary-log-encryption) for details.

### Binary and Relay Log Encryption Behavior

#### When is an Event Encrypted?

When binary log and relay log events are written to the `IO_CACHE`, they are encrypted. This happens regardless of whether the cache is stored on disk or in memory, depending on the transaction size and the values of `binlog_cache_size` and `binlog_stmt_cache_size`. Hence, before events are written to the actual binary log and relay log files, they are encrypted.

#### When is an Event Decrypted?

When a `START_ENCRYPTION_EVENT` appears in the binary log or relay log, events are decrypted as they are read. This event comes right after the `FORMAT_DESCRIPTION_EVENT` in encrypted binary logs and relay logs, making it the second event in the log file.

## Encryption and Page Compression

Data-at-rest encryption and [InnoDB page compression](https://mariadb.com/docs/server/server-usage/storage-engines/innodb/innodb-page-compression) can be used together. When they are used together, data is first compressed, and then it is encrypted. In this case you save space and still have your data protected.

## Thanks

* Tablespace encryption was donated to the MariaDB project by Google.

We are grateful to these companies for their support of MariaDB!

## See Also

* [Encryption functions](https://mariadb.com/docs/server/reference/sql-functions/secondary-functions/encryption-hashing-and-compression-functions)
* [DES\_DECRYPT()](https://mariadb.com/docs/server/reference/sql-functions/secondary-functions/encryption-hashing-and-compression-functions/des_decrypt)
* [DES\_ENCRYPT()](https://mariadb.com/docs/server/reference/sql-functions/secondary-functions/encryption-hashing-and-compression-functions/des_encrypt)
* A [blog post about table encryption](https://mariadb.com/blog/table-and-tablespace-encryption-mariadb-101/) with benchmark results

<sub>*This page is licensed: CC BY-SA / Gnu FDL*</sub>

{% @marketo/form formId="4316" %}