MariaDB can encrypt data in tables that use the Aria storage engine. This includes both user-created tables and internal on-disk temporary tables that use the Aria storage engine. This ensures that your Aria data is only accessible through MariaDB.

For encryption with the InnoDB and XtraDB storage engines, see Encrypting Data for InnoDB/XtraDB.

Basic Configuration

In order to enable encryption for tables using the Aria storage engine, there are a couple server system variables that you need to set and configure. Most users will want to set aria_encrypt_tables and encrypt_tmp_disk_tables.

Users of data-at-rest encryption will also need to have a key management and encryption plugin configured. Some examples are File Key Management Plugin and AWS Key Management Plugin.

Determining Whether a Table is Encrypted

The has the that can be used to get information about which tables are encrypted. Aria does not currently have anything like that (see about that).

To determine whether an Aria table is encrypted, you currently have to search the data file for some plain text that you know is in the data.

For example, let's say that we have the following table:

Then, we could search the data file that belongs to db1.aria_tab for str1 using a command-line tool, such as :

If you can find the plain text of the string, then you know that the table is not encrypted.

Encryption and the Aria Log

Only Aria tables are currently encrypted. The is not yet encrypted. See about that.

_{This page is licensed: CC BY-SA / Gnu FDL}

In order to enable data-at-rest encryption for tables using the Aria storage engine, you first need to configure the server to use an Encryption Key Management plugin. Once this is done, you can enable encryption by setting the relevant system variables.

Encrypting User-created Tables

With tables that the user creates, you can enable encryption by setting the aria_encrypt_tables system variable to ON, then restart the Server. Once this is set, Aria automatically enables encryption on all tables you create after with the ROW_FORMAT table option set to PAGE.

Currently, Aria does not support encryption on tables where the ROW_FORMAT table option is set to the FIXED or DYNAMIC values.

Unlike InnoDB, Aria does not support the table option (see about that). Encryption for Aria can only be enabled globally using the system variable.

Encrypting Existing Tables

In cases where you have existing Aria tables that you would like to encrypt, the process is a little more complicated. Unlike InnoDB, Aria does not utilize to automatically perform encryption changes (see about that). Therefore, to encrypt existing tables, you need to identify each table that needs to be encrypted, and then you need to manually rebuild each table.

First, set the aria_encrypt_tables system variable to encrypt new tables.

Identify Aria tables that have the ROW_FORMAT table option set to PAGE.

For each table in the result-set, issue an ALTER TABLE statement to rebuild the table.

This statement causes Aria to rebuild the table using the ROW_FORMAT table option. In the process, with the new default setting, it encrypts the table when it writes to disk.

Encrypting Internal On-disk Temporary Tables

During the execution of queries, MariaDB routinely creates internal temporary tables. These internal temporary tables initially use the storage engine, which is entirely stored in memory. When the table size exceeds the allocation defined by the system variable, MariaDB writes the data to disk using another storage engine. If you have the set to ON, MariaDB uses Aria in writing the internal temporary tables to disk.

Encryption for internal temporary tables is handled separately from encryption for user-created tables. To enable encryption for these tables, set the system variable to ON. Once set, all internal temporary tables that are written to disk using Aria are automatically encrypted.

Manually Encrypting Tables

Currently, Aria does not support manually encrypting tables through the and table options. For more information, see .

In cases where you want to encrypt tables manually or set the specific encryption key, use .

_{This page is licensed: CC BY-SA / Gnu FDL}

As with other storage engines that support data-at-rest encryption, Aria relies on an Encryption Key Management plugin to handle its encryption keys. Where the support is available, Aria can use multiple keys.

Encryption Keys

MariaDB keeps track of each encryption key internally using a 32-bit integer, which serves as the key identifier. Unlike InnoDB, Aria does not support the ENCRYPTION_KEY_ID table option (for more information, see MDEV-18049), which allows the user to specify the encryption key to use. Instead, Aria defaults to specific encryption keys provided by the Encryption Key Management plugin.

• When working with user-created tables, Aria encrypts them to disk using the ID 1 key.

• When working with internal temporary tables written to disk, Aria encrypts them to disk using the ID 2 key, unless there is no ID 2 key, then it falls back on the ID 1 key.

Key Rotation

Some allow you to automatically rotate and version your encryption keys. If a plugin support key rotation, and if it rotates the encryption keys, then InnoDB's can re-encrypt InnoDB pages that use the old key version with the new key version. However, Aria does not have a similar mechanism, which means that the tables remain encrypted with the older key version. For more information, see .

In order for key rotation to work, both the backend key management service (KMS) and the corresponding have to support key rotation. See to determine which plugins currently support key rotation.

_{This page is licensed: CC BY-SA / Gnu FDL}

The process involved in safely disabling data-at-rest encryption for your Aria tables is very similar to that of enabling encryption. To disable, you need to set the relevant system variables and then rebuild each table into an unencrypted state.

Don't remove the Encryption Key Management plugin from your configuration file until you have unencrypted all tables in your database. MariaDB cannot read encrypted tables without the relevant encryption key.

Disabling Encryption on User-Created Tables

For user-created tables, you can disable encryption by setting the aria_encrypt_tables system variable to OFF. Once this is set, MariaDB no longer encrypts new tables created with the Aria storage engine.

To find the encrypted tables, query the Information Schema, filtering the table for those that use the Aria storage engine and the PAGE .

Each table in that result set was written to disk in an encrypted state.

To remove the encryption of those tables,

• Set the aria_encrypt_tables variable to OFF;

• Leave the configuration for the encryption keys in place (otherwise, you cannot decrypt tables!);

• Run the following statement for each encrypted table.

Once all of the Aria tables are rebuilt, they're unencrypted.

Optionally, you can remove the configuration for the encryption keys now.

Disabling Encryption for Internal On-Disk Temporary Tables

MariaDB routinely creates internal temporary tables. When these temporary tables are written to disk and the system variable is set to ON, MariaDB uses the Aria storage engine.

To decrypt these tables, set the to OFF. Once set, all internal temporary tables that are created from that point on are written unencrypted to disk.

_{This page is licensed: CC BY-SA / Gnu FDL}