1 of 40

Encryption

Enhance MariaDB Server security with encryption. This section covers data-at-rest and in-transit encryption, helping you protect sensitive information and meet compliance requirements.

TLS and Cryptography Libraries Used by MariaDB

When MariaDB Server is compiled with TLS and cryptography support, it is usually either statically linked with MariaDB's bundled TLS and cryptography library or dynamically linked with the system's library. MariaDB's bundled TLS library is either or , depending on the server version.

When a MariaDB client or client library is compiled with TLS and cryptography support, it is usually either statically linked with MariaDB's bundled TLS and cryptography library or dynamically linked with the system's TLS and cryptography library, which might be , , or .

Checking Dynamically vs. Statically Linked

Dynamically linking MariaDB to the system's TLS and cryptography library can often be beneficial, since this allows you to fix bugs in the system's TLS and cryptography library independently of MariaDB. For example, when information on the

Data-in-Transit Encryption

Secure MariaDB Server data in transit with encryption. This section covers configuring SSL/TLS to protect communication between clients and the database, ensuring confidentiality and integrity.

Certificate Creation with OpenSSL

Warning: the instructions below generate version 1 certificates only. These work fine with servers and clients using OpenSSL, but fail if WolfSSL is used instead, as is the case for our Windows MSI packages and our binary tarballs for Linux. WolfSSL requires version 3 certificates instead when using TLS v1.2 or higher, and so won't work with certificates generated as shown here when using two-way TLS with explicit client certificates. Generating version 3 certificates requires a few more minor steps, we will upgrade the instructions below soon to include these. See also: MDEV-25701

In order to secure communications with the MariaDB Server using TLS, you need to create a private key and an X509 certificate for the server. You may also want to create additional private keys and X509 certificates for any clients that need to connect to the server with TLS. This guide covers how to create a private key and a self-signed X509 certificate with OpenSSL.

Certificate Creation

The OpenSSL library provides a command-line tool called , which can be used for performing various tasks with the library, such as generating private keys, creating X509 certificate requests, signing X509 certificates as a Certificate Authority (CA), and verifying X509 certificates.

Creating a Certificate Authority Private Key and Certificate

The Certificate Authority (CA) is typically an organization (such as ) that signs the X509 certificate and validates ownership of the domain. However, when you would like to use self-signed certificates, you need to create the private key and certificate for the CA yourself, and then you can use them to sign your own X509 certificates.

To start, generate a private key for the CA using the command. For example:

After that, you can use the private key to generate the X509 certificate for the CA using the command. For example:

The above commands create two files in the working directory: The ca-key.pem private key and the ca.pem X509 certificate are both are used by the CA to create self-signed X509 certificates below.

Creating a Private Key and a Self-signed Certificate

Once you have the CA's private key and X509 certificate, you can create the self-signed X509 certificates to use for the MariaDB Server, client, replication and other purposes.

To start, generate a private key and create a certificate request using the command. For example:

After that, process the key to remove the passphrase using the command. For example:

Lastly, using the certificate request and the CA's private key and X509 certificate, you can generate a self-signed X509 certificate from the certificate request using the command. For example:

This creates a server-cert.pem file, which is the self-signed X509 certificate.

Certificate Verification

Once you have created the CA's X509 certificate and a self-signed X509 certificate, you can verify that the X509 certificate was correctly generated using the command. For example:

You can add as many X509 certificates to check against the CA's X509 certificate as you want to verify. A value of OK indicates that you can use it was correctly generated and is ready for use with MariaDB.

_{This page is licensed: CC BY-SA / Gnu FDL}

Enabling TLS on MariaDB Server

Overview

MariaDB Server and MariaDB Community Server support data-in-transit encryption, which secures data transmitted over the network. The server and the clients encrypt data using the Transport Layer Security (TLS) protocol, which is a newer version of the Secure Socket Layer (SSL) protocol.

TLS must be manually enabled on the server.

Enabling TLS

Acquire an X509 certificate and a private key for the server. If it is a test or development server, then self-signed certificates and keys might be sufficient.
Determine which and you need to configure.

Mandatory system variables and options for TLS include:

System Variable/Option

Description

Useful system variables and options for TLS include:

System Variable/Option

Description

Choose a configuration file in which to configure your system variables and options. It is not recommended to make custom changes to one of the bundled configuration files. Instead, it is recommended to create a custom configuration file in one of the included directories. Configuration files in included directories are read in alphabetical order. If you want your custom configuration file to override the bundled configuration files, then it is a good idea to prefix the custom configuration file's name with a string that will be sorted last, such as z-.

On RHEL, CentOS, Rocky Linux, and SLES, a good custom configuration file would be: /etc/my.cnf.d/z-custom-my.cnf
On Debian and Ubuntu, a good custom configuration file would be: /etc/mysql/mariadb.conf.d/z-custom-my.cnf

Set your system variables and options in the configuration file. They need to be set in a group that will be read by , such as [mariadb] or [server]. For example:

Restart the server.

Connect to the server using :

Confirm that TLS is enabled by confirming that the have_ssl system variable is YES with the SHOW GLOBAL VARIABLES statement:

Requiring TLS on MariaDB Server

Overview

and MariaDB Community Server support data-in-transit encryption, which secures data transmitted over the network. The server and the clients encrypt data using the Transport Layer Security (TLS) protocol, which is a newer version of the Secure Socket Layer (SSL) protocol.

TLS must be manually enabled on the server.

Using TLSv1.3

OpenSSL 1.1.1 introduced support for TLSv1.3. TLSv1.3 is a major rewrite of the TLS protocol. Some even argued it should've been called TLSv2.0. One of the changes is that it introduces a new set of cipher suites that only work with TLSv1.3. Additionally, TLSv1.3 does not support cipher suites from previous TLS protocol versions.

This incompatible change had a non-obvious consequence. If a user had been explicitly specifying cipher suites to disable old and obsolete TLS protocol version, then that user may have also inadvertently prevented TLSv1.3 from working, unless the user remembered to add the TLSv1.3 cipher suites to their cipher list. After upgrading to OpenSSL 1.1.1, this user might believe they are using TLSv1.3, when their existing cipher suite configuration might be preventing it.

To avoid this problem, OpenSSL developers decided that TLSv1.3 cipher suites should not be affected by the normal cipher-selecting API. This means that ssl_cipher system variable has no effect on the TLSv1.3 cipher suites.

See this OpenSSL blog post and GitHub issue for more information.

Data-at-Rest Encryption

Secure MariaDB Server data at rest with encryption. This section details how to protect your sensitive information stored on disk, ensuring data confidentiality and compliance.

Why Encrypt MariaDB Data?

Nearly everyone owns data of immense value: customer data, construction plans, recipes, product designs and other information. These data are stored in clear text on your storage media. Everyone with file system access is able to read and modify the data. If this data falls into the wrong hands (criminals or competitors) this may result in serious consequences.

With encryption you protect Data At Rest (see the Wikipedia article). That way, the database files are protected against unauthorized access.

When Does Encryption Help to Protect Your Data?

Encryption helps in case of threats against the database files:

An attacker gains access to the system and copies the database files to avoid the MariaDB authorization check.
MariaDB is operated by a service provider who should not gain access to the sensitive data.

When is Encryption No Help?

Encryption provides no additional protection against threats caused by authorized database users. Specifically, SQL injections aren’t prevented.

What to Encrypt?

All data that is not supposed to fall into possible attackers hands should be encrypted. Especially information, subject to strict data protection regulations, is to be protected by encryption (e.g. in the healthcare sector: patient records). Additionally, data being of interest for criminals should be protected. Data which should be encrypted are:

Personal related information
Customer details
Financial and credit card data
Public authorities' data

How to Handle Key Management?

There are currently three options for key management:

See for details.

_{This page is licensed: CC BY-SA / Gnu FDL}

Aria Encryption

Learn about Aria encryption in MariaDB Server for data at rest. This section details how to encrypt Aria tablespaces, providing enhanced security for your stored data.

Aria Encryption Overview

MariaDB can encrypt data in tables that use the Aria storage engine. This includes both user-created tables and internal on-disk temporary tables that use the Aria storage engine. This ensures that your Aria data is only accessible through MariaDB.

For encryption with the InnoDB and XtraDB storage engines, see Encrypting Data for InnoDB/XtraDB.

Basic Configuration

In order to enable encryption for tables using the Aria storage engine, there are a couple server system variables that you need to set and configure. Most users will want to set aria_encrypt_tables and encrypt_tmp_disk_tables.

Users of data-at-rest encryption will also need to have a key management and encryption plugin configured. Some examples are File Key Management Plugin and AWS Key Management Plugin.

Determining Whether a Table is Encrypted

The has the that can be used to get information about which tables are encrypted. Aria does not currently have anything like that (see about that).

To determine whether an Aria table is encrypted, you currently have to search the data file for some plain text that you know is in the data.

For example, let's say that we have the following table:

Then, we could search the data file that belongs to db1.aria_tab for str1 using a command-line tool, such as :

If you can find the plain text of the string, then you know that the table is not encrypted.

Encryption and the Aria Log

Only Aria tables are currently encrypted. The is not yet encrypted. See about that.

_{This page is licensed: CC BY-SA / Gnu FDL}

Aria Disabling Encryption

The process involved in safely disabling data-at-rest encryption for your Aria tables is very similar to that of enabling encryption. To disable, you need to set the relevant system variables and then rebuild each table into an unencrypted state.

Don't remove the Encryption Key Management plugin from your configuration file until you have unencrypted all tables in your database. MariaDB cannot read encrypted tables without the relevant encryption key.

Disabling Encryption on User-created Tables

With tables that the user creates, you can disable encryption by setting the aria_encrypt_tables system variable to OFF. Once this is set, MariaDB no longer encrypts new tables created with the Aria storage engine.

SET GLOBAL aria_encrypt_tables = OFF;

Unlike , Aria does not currently use background encryption threads. Before removing the plugin from the configuration file, you first need to manually rebuild each table to an unencrypted state.

To find the encrypted tables, query the Information Schema, filtering the table for those that use the Aria storage engine and the PAGE .

Each table in the result-set was potentially written to disk in an encrypted state. Before removing the configuration for the encryption keys, you need to rebuild each of these to an unencrypted state. This can be done with an statement.

Once all of the Aria tables are rebuilt, they're safely unencrypted.

Disabling Encryption for Internal On-disk Temporary Tables

MariaDB routinely creates internal temporary tables. When these temporary tables are written to disk and the system variable is set to ON, MariaDB uses the Aria storage engine.

To decrypt these tables, set the to OFF. Once set, all internal temporary tables that are created from that point on are written unencrypted to disk.

_{This page is licensed: CC BY-SA / Gnu FDL}

Aria Enabling Encryption

In order to enable data-at-rest encryption for tables using the storage engine, you first need to configure the server to use an plugin. Once this is done, you can enable encryption by setting the relevant system variables.

Encrypting User-created Tables

With tables that the user creates, you can enable encryption by setting the system variable to ON, then restart the Server. Once this is set, Aria automatically enables encryption on all tables you create after with the table option set to PAGE.

Currently, Aria does not support encryption on tables where the

Aria Encryption Keys

As with other storage engines that support data-at-rest encryption, Aria relies on an Encryption Key Management plugin to handle its encryption keys. Where the support is available, Aria can use multiple keys.

Encryption Keys

MariaDB keeps track of each encryption key internally using a 32-bit integer, which serves as the key identifier. Unlike InnoDB, Aria does not support the ENCRYPTION_KEY_ID table option (for more information, see MDEV-18049), which allows the user to specify the encryption key to use. Instead, Aria defaults to specific encryption keys provided by the Encryption Key Management plugin.

When working with user-created tables, Aria encrypts them to disk using the ID 1 key.
When working with internal temporary tables written to disk, Aria encrypts them to disk using the ID 2 key, unless there is no ID 2 key, then it falls back on the ID 1 key.

Key Rotation

Some allow you to automatically rotate and version your encryption keys. If a plugin support key rotation, and if it rotates the encryption keys, then InnoDB's can re-encrypt InnoDB pages that use the old key version with the new key version. However, Aria does not have a similar mechanism, which means that the tables remain encrypted with the older key version. For more information, see .

In order for key rotation to work, both the backend key management service (KMS) and the corresponding have to support key rotation. See to determine which plugins currently support key rotation.

_{This page is licensed: CC BY-SA / Gnu FDL}

InnoDB Encryption

Learn about InnoDB encryption for data at rest. This section details how to encrypt InnoDB tablespaces, ensuring strong data security and compliance for your mission-critical applications.

Key Management and Encryption Plugins

Explore key management and encryption plugins for MariaDB Server. This section details how to manage encryption keys and leverage plugins for robust data-at-rest protection.

Disabling Data-at-Rest Encryption for Standalone Servers

In certain situations, you may need to turn off data-at-rest encryption in a standalone or single-node MariaDB Enterprise Server deployment. For instance, you might have originally enabled encryption using a key management plugin, but later determine that encryption is no longer necessary.

This page explains how to safely disable data-at-rest encryption on a single server. The steps assume that your server already contains encrypted tables or logs, and that your goal is to revert the system to an unencrypted state without losing any data.

This procedure is only intended for standalone MariaDB Enterprise Server environments.

Decrypt Aria Tables

This page describes how to decrypt datdata at resta-at-rest for tables that use the Aria storage engine.

If you have Aria tables encrypted, you must first decrypt them:

Repeat this for each Aria table that is encrypted.

For more information, refer to .

Ensure the server can currently read encrypted data Keep your key management/encryption plugin configured and loaded so MariaDB can read existing encrypted Aria tables. Don’t remove the plugin yet.

Decrypt InnoDB Tables

When data-at-rest encryption is enabled, InnoDB tables and tablespaces are transparently encrypted and decrypted by the storage engine. In some cases, administrators may need to decrypt an InnoDB table—for example, when migrating data to an environment where encryption is not required, or when disabling encryption to simplify configuration.

For more information, refer to, .

Decrypt Binary Logs

This page covers how to confirm that binlogs are encrypted, recommended approaches for getting decrypted output.

When binary log encryption is enabled, the server writes binlog files to disk in encrypted form. This ensures that anyone with direct access to the filesystem cannot read the contents.

The encryption keys are managed through a keyring or key-management plugin. Whenever the server itself needs to access a binlog—such as during replication, recovery, or when tools like mysqlbinlog connect to it—the server transparently decrypts the events using the appropriate active keys.

Since the keys are stored in a server-accessible keyring, the most reliable and secure method to access decrypted binlog data is to request it directly from the running server. In other words, instead of trying to decrypt raw encrypted files offline, you should allow the server to stream already-decrypted events to you.

For more information, refer to .

Uninstall Key Management Plugins

Once all data and logs have been decrypted, you can safely remove key management plugins, if desired. For example, if using the file key management plugin:

Comment out or remove the following lines 
plugin_load_add = file_key_management 
file_key_management_filename = /etc/mysql/encryption/keyfile

Restart the server after editing the configuration.

Ensure that all tables no longer report encryption in CREATE_OPTIONS.
Confirm that redo logs and binary logs are unencrypted by checking server variables and log headers.
Confirm that no key management plugin is loaded:

Replication with Secure Connections

The terms master and slave have historically been used in replication, and MariaDB has begun the process of adding primary and replica synonyms. The old terms will continue to be used to maintain backward compatibility - see MDEV-18777 to follow progress on this effort.

By default, MariaDB replicates data between primaries and replicas without encrypting it. This is generally acceptable when the primary and replica run are in networks where security is guaranteed through other means. However, in cases where the primary and replica exist on separate networks or they are in a high-risk network, the lack of encryption does introduce security concerns as a malicious actor could potentially eavesdrop on the traffic as it is sent over the network between them.

To mitigate this concern, MariaDB allows you to encrypt replicated data in transit between primaries and replicas using the Transport Layer Security (TLS) protocol. TLS was formerly known as Secure Socket Layer (SSL), but strictly speaking the SSL protocol is a predecessor to TLS and, that version of the protocol is now considered insecure. The documentation still uses the term SSL often and for compatibility reasons TLS-related server system and status variables still use the prefix ssl_, but internally, MariaDB only supports its secure successors.

In order to secure connections between the primary and replica, you need to ensure that both servers were compiled with TLS support. See to determine how to check whether a server was compiled with TLS support.

You also need an X509 certificate, a private key, and the Certificate Authority (CA) chain to verify the X509 certificate for the primary. If you want to use two-way TLS, then you will also an X509 certificate, a private key, and the Certificate Authority (CA) chain to verify the X509 certificate for the replica. If you want to use self-signed certificates that are created with OpenSSL, then see for information on how to create those.

Securing Replication Traffic

In order to secure replication traffic, you will need to ensure that TLS is enabled on the primary. If you want to use two-way TLS, then you will also need to ensure that TLS is enabled on the replica. See for information on how to do that.

For example, to set the TLS system variables for each server, add them to a relevant server in an on each server:

And then restart the server to make the changes persistent.

At this point, you can reconfigure the replicas to use TLS to encrypt replicated data in transit. There are two methods available to do this:

Executing the statement to set the relevant TLS options.
Setting TLS client options in an .

Executing CHANGE MASTER

TLS can be enabled on a replication replica by executing the statement. In order to do so, there are a number of options that you would need to set. The specific options that you would need to set would depend on whether you want one-way TLS or two-way TLS, and whether you want to verify the server certificate.

Enabling Two-Way TLS with CHANGE MASTER

Two-way TLS means that both the client and server provide a private key and an X509 certificate. It is called "two-way" TLS because both the client and server can be authenticated. In this case, the "client" is the replica. To configure two-way TLS, you would need to set the following options:

You need to set the path to the server's certificate by setting the option.
You need to set the path to the server's private key by setting the option.
You need to set the path to the certificate authority (CA) chain that can verify the server's certificate by setting either the or the options.
If you want , then you also need to set the option (enabled by default from

If the are currently running, you first need to stop them by executing the statement. For example:

Then, execute the statement to configure the replica to use TLS. For example:

At this point, you can start replication by executing the statement. For example:

The replica now uses TLS to encrypt data in transit as it replicates it from the primary.

Enabling One-Way TLS with CHANGE MASTER

Enabling One-Way TLS with CHANGE MASTER with Server Certificate Verification

One-way TLS means that only the server provides a private key and an X509 certificate. When TLS is used without a client certificate, it is called "one-way" TLS, because only the server can be authenticated, so authentication is only possible in one direction. However, encryption is still possible in both directions. means that the client verifies that the certificate belongs to the server. In this case, the "client" is the replica. This mode is enabled by default starting from . To configure one-way TLS in earlier versions, you would need to set the following options:

You need to set the path to the certificate authority (CA) chain that can verify the server's certificate by setting either the or the options.
You need to set the option.
If you want to restrict the server to certain ciphers, then you also need to set the option.

If the are currently running, you first need to stop them by executing the statement. For example:

Then, execute the statement to configure the replica to use TLS. For example:

At this point, you can start replication by executing the statement. For example:

The replica now uses TLS to encrypt data in transit as it replicates it from the primary.

Enabling One-Way TLS with CHANGE MASTER without Server Certificate Verification

One-way TLS means that only the server provides a private key and an X509 certificate. When TLS is used without a client certificate, it is called "one-way" TLS, because only the server can be authenticated, so authentication is only possible in one direction. However, encryption is still possible in both directions. In this case, the "client" is the replica. To configure two-way TLS without server certificate verification, you would need to set the following options:

You need to configure the replica to use TLS by setting the option.
If you want to restrict the server to certain ciphers, then you also need to set the option.
Starting from you need to disable the option.

If the are currently running, you first need to stop them by executing the statement. For example:

Then, execute the statement to configure the replica to use TLS. For example:

At this point, you can start replication by executing the statement. For example:

The replica now uses TLS to encrypt data in transit as it replicates it from the primary.

Setting TLS Client Options in an Option File

In cases where you don't mind restarting the server or you are setting the server up from scratch for the first time, you may find it more convenient to configure TLS options for replication through an . This is done the same way as it is for other clients. The specific options that you would need to set would depend on whether you want one-way TLS or two-way TLS, and whether you want to verify the server certificate. See for more information. For example, to enable two-way TLS with , then you could specify the following options in a relevant client in an :

Before you restart the server, you may also want to set the option in a server in an . This option prevents the from restarting automatically when the server starts. Instead, they will have to be restarted manually. After these changes have been made, you can restart the server. Once the server is back online, set the option by executing the statement. This will enable TLS. For example:

The certificate and keys will be read from the option file. At this point, you can start replication by executing the statement.

_{This page is licensed: CC BY-SA / Gnu FDL}

Disabling InnoDB Encryption

The process involved in safely disabling encryption for your InnoDB tables is a little more complicated than that of enabling encryption. Turning off the relevant system variables doesn't decrypt the tables. If you turn it off and remove the encryption key management plugin, it'll render the encrypted data inaccessible.

In order to safely disable encryption, you first need to decrypt the tablespaces and the Redo Log, then turn off the system variables. The specifics of this process depends on whether you are using automatic or manual encryption of the InnoDB tablespaces.

Disabling Encryption for Automatically Encrypted Tablespaces

When an InnoDB tablespace has the ENCRYPTED table option set to DEFAULT and the innodb_encrypt_tables system variable is set to ON or FORCE, the tablespace's encryption is automatically managed by the background encryption threads. When you want to disable encryption for these tablespaces, you must ensure that the background encryption threads decrypt the tablespaces before removing the encryption keys. Otherwise, the tablespace remains encrypted and becomes inaccessible once you've removed the keys.

To safely decrypt the tablespaces, first, set the system variable to OFF:

Next, set the system variable to a non-zero value:

Then, set the system variable to 1:

Once set, any InnoDB tablespaces that have the table option set to DEFAULT will be in the background by the InnoDB .

Decryption Status

You can of the decryption process using the table in the database.

This query shows the number of InnoDB tablespaces that currently using background encryption threads. Once the count reaches 0, then all of your InnoDB tablespaces are unencrypted. Be sure to also remove encryption on the and the storage engine before removing the encryption key management settings from your configuration file.

Disabling Encryption for Manually Encrypted Tablespaces

In the case of manually encrypted InnoDB tablespaces, (that is, those where the table option is set to YES), you must issue an statement to decrypt each tablespace before removing the encryption keys. Otherwise, the tablespace remains encrypted and becomes inaccessible without the keys.

First, query the Information Schema table to find the encrypted tables. This can be done with a WHERE clause filtering the CREATE_OPTIONS column.

For each table in the result-set, issue an statement, setting the table option to NO.

Once you have removed encryption from all the tables, your InnoDB deployment is unencrypted. Be sure to also remove encryption from the as well as and any other storage engines that support encryption before removing the encryption key management settings from your configuration file.

InnoDB does not permit manual encryption changes to tables in the tablespace using . Encryption of the tablespace can only be configured by setting the value of the system variable. This means that when you want to encrypt or decrypt the tablespace, you must also set a non-zero value for the system variable, and you must also set the system variable to 1 to ensure that the system tablespace is properly encrypted or decrypted by the background threads. See for more information.

Disabling Encryption for Temporary Tablespaces

The system variable controls the configuration of encryption for the . To disable it, remove the system variable from your server's , and then restart the server.

Disabling Encryption for the Redo Log

InnoDB uses the in crash recovery. By default, these events are written to file in an unencrypted state. In removing data-at-rest encryption for InnoDB, be sure to also disable encryption for the Redo Log before removing encryption key settings. Otherwise the Redo Log can become inaccessible without the encryption keys.

First, set the system variable to OFF in a server in an . Once this is done, restart the MariaDB Server. When the Server comes back online, it begins writing unencrypted data to the Redo Log.

After the server has been successfully restarted with encryption disabled, you may remove the that had been used. If you try to disable encryption for the Redo Log and remove the plugin in a single step, InnoDB will be unable to decrypt the log in order to remove the encryption.

SSL/TLS System Variables

The system variables listed on this page relate to encrypting data during transfer between servers and clients using the Transport Layer Security (TLS) protocol. Often, the term Secure Sockets Layer (SSL) is used interchangeably with TLS, although strictly speaking the SSL protocol is the predecessor of TLS and is no longer considered secure.

For compatibility reasons, the TLS system variables in MariaDB still use the ssl_ prefix, but MariaDB only supports its more secure successors. For more information on SSL/TLS in MariaDB, see Secure Connections Overview.

Variables

`have_openssl`

Description: This variable shows whether the server is linked with rather than MariaDB's bundled TLS library, which might be or .
- I this system variable shows YES, the server is linked with OpenSSL.
- See for more information about which libraries are used on which platforms.

`have_ssl`

Description: This variable shows whether the server supports using to secure connections.
- If the value is YES, then the server supports TLS, and TLS is enabled.
- If the value is DISABLED, then the server supports TLS, but TLS is not enabled.

`ssl_ca`

Description: Defines a path to a PEM file that should contain one or more X509 certificates for trusted Certificate Authorities (CAs) to use for . This system variable requires that you use the absolute path, not a relative path. This system variable implies the option.
- See for more information.
Command line: --ssl-ca=file_name

`ssl_capath`

Description: Defines a path to a directory that contains one or more PEM files that should each contain one X509 certificate for a trusted Certificate Authority (CA) to use for . This system variable requires that you use the absolute path, not a relative path. The directory specified by this variable needs to be run through the command. This system variable implies the option.
- See for more information.
Command line: --ssl-capath=directory_name

`ssl_cert`

Description: Defines a path to the X509 certificate file to use for . This system variable requires that you use the absolute path, not a relative path. This system variable implies the option.
Command line: --ssl-cert=name
Scope: Global
Dynamic: No

`ssl_cipher`

Description: List of permitted ciphers or cipher suites to use for . Besides cipher names, if MariaDB was compiled with OpenSSL, this variable could be set to "SSLv3" or "TLSv1.2" to allow all SSLv3 or all TLSv1.2 ciphers. Note that the TLSv1.3 ciphers cannot be excluded when using OpenSSL, even by using this system variable. See for details. This system variable implies the option.
Command line: --ssl-cipher=name
Scope: Global

`ssl_crl`

Description: Defines a path to a PEM file that should contain one or more revoked X509 certificates to use for . This system variable requires that you use the absolute path, not a relative path.
- See for more information.
- This variable is only valid if the server was built with OpenSSL. If the server was built with or , then this variable is not supported. See for more information about which libraries are used on which platforms.

`ssl_crlpath`

Description: Defines a path to a directory that contains one or more PEM files that should each contain one revoked X509 certificate to use for . This system variable requires that you use the absolute path, not a relative path. The directory specified by this variable needs to be run through the command.
- See for more information.
- This variable is only supported if the server was built with OpenSSL. If the server was built with or , then this variable is not supported. See for more information about which libraries are used on which platforms.

`ssl_key`

Description: Defines a path to a private key file to use for . This system variable requires that you use the absolute path, not a relative path. This system variable implies the option.
Command line: --ssl-key=name
Scope: Global
Dynamic: No

`ssl_passphrase`

Description: SSL certificate key passphrase. Works similarly to the --passout/--passin openssl command-line parameters. The pass phrase value can be formatted as follows:
- pass:password — Provide the actual password.
- env:

`tls_version`

Description: This system variable accepts a comma-separated list (with no whitespaces) of TLS protocol versions. A TLS protocol version will only be enabled if it is present in this list. All other TLS protocol versions will not be permitted.
- See for more information.
Command line: --tls-version=value

`version_ssl_library`

Description: The version of the library that is being used. Note that the version returned by this system variable does not always necessarily correspond to the exact version of the OpenSSL package installed on the system. OpenSSL shared libraries tend to contain interfaces for multiple versions at once to allow for backward compatibility. Therefore, if the OpenSSL package installed on the system is newer than the OpenSSL version that the MariaDB server binary was built with, then the MariaDB server binary might use one of the interfaces for an older version.
- See for more information.
Scope: Global

Amazon Web Services (AWS) Key Management Service (KMS) Encryption Plugin Setup Guide

Overview

MariaDB contains a robust, full instance, at-rest encryption. This feature uses a flexible plugin interface to allow actual encryption to be done using a key management approach that meets the customer's needs. MariaDB Server includes a plugin that uses the Amazon Web Services (AWS) Key Management Service (KMS) to facilitate separation of responsibilities and remote logging & auditing of key access requests.

Rather than storing the encryption key in a local file, this plugin keeps the master key in AWS KMS. When you first start MariaDB, the AWS KMS plugin will connect to the AWS Key Management Service and ask it to generate a new key. MariaDB will store that key on-disk in an encrypted form. The key stored on-disk cannot be used to decrypt the data; rather, on each startup, MariaDB connects to AWS KMS and has the service decrypt the locally-stored key(s). The decrypted key is stored in-memory as long as the MariaDB server process is running, and that in-memory decrypted key is used to encrypt the local data.

This guide is based on CentOS 7, using systemd with SELinux enabled. Some steps will differ if you use other operating systems or configurations.

Installing the Plugin's Package

The AWS Key Management plugin depends on the , which uses the . This license is not compatible with MariaDB Server's , so we are not able to distribute packages that contain the AWS Key Management plugin. Therefore, the only way to currently obtain the plugin is to install it from source.

Installing from Source

When , the AWS Key Management plugin is built by default on systems that support it.

Compilation is controlled by the -DPLUGIN_AWS_KEY_MANAGEMENT=DYNAMIC -DAWS_SDK_EXTERNAL_PROJECT=1 arguments.

The plugin uses , which introduces the following restrictions:

The plugin can only be built on Windows, Linux, and macOS.
The plugin requires that one of the following compilers is used: gcc 4.8 or later, clang 3.3 or later, or Visual Studio 2013 or later.
On Unix, the libcurl development package (e.g., libcurl3-dev on Debian Jessie), the uuid

Installing the Plugin

Even after the package that contains the plugin's shared library is installed on the operating system, the plugin is not actually installed by MariaDB by default. There are two methods that can be used to install the plugin with MariaDB.

The first method can be used to install the plugin without restarting the server. You can install the plugin dynamically by executing or . For example:

The second method can be used to tell the server to load the plugin when it starts up. The plugin can be installed this way by providing the or the options. This can be specified as a command-line argument to , or it can be specified in a relevant server in an . For example:

If you already have an AWS account, you can skip this section.

Load.
Click "Create a Free Account" and complete the steps.
You'll need to enter credit card information. Charges related only to your use of the AWS KMS service should be limited to about $1/month for the single master key we will create. If you use other services, additional charges may apply. Consult AWS Cloud Pricing Principles for more information about the pricing of AWS services.
You'll need to complete the AWS identity verification process.

Create an IAM User and/or Role

After creating an account or logging in to an existing account, follow these steps to create an IAM User or Role with restricted privileges that will use (but not administer) your master encryption key.

If you intend to run MariaDB Server on an EC2 instance, you should create a Role (or modify an existing Role already attached to your instance). If you intend to run MariaDB Server outside of AWS, you may want to create a User.

Creating an IAM Role

Load the Identity and Access Management Console at.
Click "Roles" in the left-hand sidebar
Click "Create new role"
Select "AWS Service Role"

Creating an IAM User

Load the Identity and Access Management Console at.
Click "Users" in the left-hand sidebar.
Click the "Create New Users" button
Enter a single User Name of your choosing. We'll use "MDBEnc" for this demonstration. Keep the "Generate an access key for each user" box checked.

Click "Close". If prompted because you did not Download Credentials, ensure that you've saved them somewhere, and click "Close".

Create a Master Encryption Key

Now, we'll create a master encryption key. This key can never be retrieved by any application or user. This key is used remotely to encrypt (and decrypt) the actual encryption keys that will be used by MariaDB. If this key is deleted or you lose access to it, you will be unable to use the contents of your MariaDB data directory.

Click "Encryption Keys" in the left-hand sidebar.
Click the "Get Started Now" button.
Use the "Filter" dropdown to choose the region where you'd like to create your master key.
Click the "Create Key" button.

You should now see your key listed in the console:

You'll use the "Alias" you provided when you configure MariaDB later.

We now have a Customer Master Key and an IAM user that has privileges to access it using access credentials. This is enough to begin using the AWS KMS plugin.

Configure AWS Credentials

There are a number of ways to give the IAM credentials to the AWS KMS plugin. The plugin supports reading credentials from all standard locations used across the various AWS API clients.

The easiest approach is to run MariaDB Server in an EC2 instance that has an IAM Role with User access to the CMK you wish to use. You can give key access privileges to a Role already attached to your EC2 instance, or you can create a new IAM Role and attach it to an already-running EC2 instance. If you've done that, no further credentials management is required, and you do not need to create a credentials file.

If you're not running MariaDB Server on an EC2 instance, you can also place the credentials in the MariaDB data directory. The AWS API client looks for a credentials file in the .aws subdirectory of the home directory of the user running the client process. In the case of MariaDB, its home directory is its datadir.

Create a credentials file that MariaDB can read. Use the region you selected when creating the key. Master keys cannot be used across regions. For example:

Change the permissions of the file so that it is owned by, and can only be read by, the mysql user:

Configure MariaDB

Create a new option file to tell MariaDB to enable encryption functionality and to use the AWS KMS plugin. Create a new file under /etc/my.cnf.d/ (or wherever your OS may have you create such files) with contents like this:

Append the "Alias" value you copied above to alias/ to use as the value for the aws-key-management-master-key-id option.

Note that you must include aws-key-management-region in your .cnf file if you are not using the us-east-1 region.

Now, you have told MariaDB to use the AWS KMS plugin, and you've put credentials for the plugin in a location where the plugin will find them. The /etc/my.cnf.d/enable_encryption.preset file contains a set of options that enable all available encryption functionality.

When you start MariaDB, the AWS KMS plugin will connect to the AWS Key Management Service and ask it to generate a new key. MariaDB will store that key on-disk in an encrypted form. The key stored on-disk cannot be used to decrypt the data; rather, on each startup, MariaDB must connect to AWS KMS and have the service decrypt the locally-stored key. The decrypted version is stored in-memory as long as the MariaDB server process is running, and that in-memory decrypted key is used to encrypt the local data.

SELinux and Outbound Connections from MariaDB

Because MariaDB needs to connect to the AWS KMS service, you must ensure that the host has outbound network connectivity over port 443 to AWS, and you must ensure that local policies allow the MariaDB server process to make those outbound connections. By default, SELinux restricts MariaDB from making such connections.

The most simple way to cause SELinux to allow outbound HTTPS connections from MariaDB is to enable to mysql_connect_any boolean, like this:

There are more complex alternatives that have a more granular effect, but those are beyond the scope of this document.

Start MariaDB

Start MariaDB using the systemctl tool:

If you do not use systemd, you may have to start MariaDB using some other mechanism.

You should see journal output similar to this:

Note the several lines of output that refer explicitly to the "AWS KMS plugin". You can see that the plugin generates a "datakey", loads that data key, and then later generates and loads a second data key. The 2nd data key is used to encrypt temporary files and temporary tables.

You can see the encrypted keys stored on-disk in the datadir:

Note that those keys are not useful alone. They are encrypted. When MariaDB starts up, the AWS KMS plugin decrypts those keys by interacting with AWS KMS.

For maximum security, you should start from an empty datadir and run after configuring encryption. Then you should re-import your data so that it is fully encrypted. Use sudo to run mariadb-install-db so that it finds your credentials file:

Create Encrypted Tables

With innodb-encrypt-tables=ON, new InnoDB tables will be encrypted by default, using the key ID set in innodb_default_encryption_key_id (default 1). With innodb-encrypt-tables=FORCE enabled, it is not possible to manually bypass encryption when creating a table.

You can cause the AWS KMS plugin to create new encryption keys at-will by specifying a new ENCRYPTION_KEY_ID when creating a table:

Read more about encrypting data in the section of the MariaDB Documentation.

AWS KMS Plugin Option Reference

aws_key_management_master_key_id: AWS KMS Customer Master Key ID (ARN or alias prefixed by alias/) for master encryption key. Used to create new data keys. If not set, no new data keys will be created.
aws_key_management_rotate_key: Set this variable to a data key ID to perform rotation of the key to the master key given in aws_key_management_master_key_id. Specify -1 to rotate all keys.
aws_key_management_key_spec

Next Steps

For more information about advanced usage, including strategies to manage credentials, enforce separation of responsibilities, and even require 2-factor authentication to start your MariaDB server, please review .

_{This page is licensed: CC BY-SA / Gnu FDL}

File Key Management Encryption Plugin

MariaDB's data-at-rest encryption requires the use of a key management and encryption plugin. These plugins are responsible both for the management of encryption keys and for the actual encryption and decryption of data.

MariaDB supports the use of multiple encryption keys. Each encryption key uses a 32-bit integer as a key identifier. If the specific plugin supports key rotation, then encryption keys can also be rotated, which creates a new version of the encryption key.

The File Key Management plugin that ships with MariaDB is a key management and encryption plugin that reads encryption keys from a plain-text file.

Overview

The File Key Management plugin is the key management and encryption plugin for users who want to use data-at-rest encryption. Some of the plugin's primary features are:

It reads encryption keys from a plain-text key file.
As an extra protection mechanism, the plain-text key file can be encrypted.
It supports multiple encryption keys.
It supports key rotation with MariaDB Enterprise Server from MariaDB Enterprise Server 11.8.

It can also serve as an example and as a starting point when developing a key management and encryption plugin with the .

Installing the File Key Management Plugin's Package

The File Key Management plugin is included in MariaDB packages as the file_key_management.so or file_key_management.dll shared library. The shared library is in the main server package, so no additional package installations are necessary. The plug-in must be installed into MariaDB however as follows.

Installing the Plugin

Although the plugin's shared library is distributed with MariaDB by default, the plugin is not actually installed by MariaDB by default. The plugin can be installed by providing the or the options. This can be specified as a command-line argument to or it can be specified in a relevant server in an . For example:

Uninstalling the Plugin

Before you uninstall the plugin, you should ensure that is completely disabled, and that MariaDB no longer needs the plugin to decrypt tables or other files.

You can uninstall the plugin dynamically by executing or . For example:

If you installed the plugin by providing the or the options in a relevant server in an , then those options should be removed to prevent the plugin from being loaded the next time the server is restarted.

Creating the Key File

In order to encrypt your tables with encryption keys using the File Key Management plugin, create the file containing the encryption keys. File name and location don't matter; see in the following what configuration is needed.

For each encryption key, the file contains these options, separated by a semicolon:

The key identifier (format: 32-bit integer)
The key version (optional, and only available as of Enterprise Server 11.8)
The key itself (format: hex-encoded)

Entries look like this:

You can also optionally encrypt the key file to make it less accessible from the file system. That is explained further in the section below.

The File Key Management plugin uses to encrypt data. It supports 128-bit, 192-bit, and 256-bit encryption keys, just like the plugin does.

Generate random encryption keys using the command. To create a random 256-bit (32-byte) encryption key, run the following command:

The key file needs to have a key identifier for each encryption key added to the beginning of each line. Key identifiers do not have to be contiguous. For example, to append three new encryption keys to a new key file, issue this command:

The resulting key file looks like this:

The key identifiers give you a way to reference the encryption keys from MariaDB. In the example above, you could reference these encryption keys using the key identifiers 1, 2 or 100 with the table option or with system variables such as . You do not necessarily need multiple encryption keys; an encryption key with the key identifier 1 is the only mandatory one.

If the key file is left unencrypted, the File Key Management plugin only requires the system variable to be configured.

This system variable can be specified as a command-line argument to mariadbd , or it can be specified in a server of an , like this:

Encrypting the Key File

This step is optional, but highly recommended.

If you use an unencrypted key file, keys are stored in plain text on your system, posing a security risk. It's recommended to encrypt the key file, with these hints in mind:

MariaDB only supports the mode of .
The encryption key size can be 128-bits, 192-bits, or 256-bits.
The encryption key is created from the hash of the encryption password.
The encryption password has a maximum length of 256 characters.

Generate a random encryption password using the command. To create a random 256 character encryption password, execute the following:

Encrypt the key file using the command. To encrypt the key file with the encryption password created in the previous step, execute, for example, one of the following commands:

The resulting keys.enc file is the encrypted version of keys.txt file. Delete the unencrypted key file.

Having the key file encrypted requires both the and the system variables to be configured.

The file_key_management_filekey variable can be provided in two forms:

As a plain-text encryption password. This is not recommended, since the plain-text encryption password would be visible in the output of the statement.
Prefixed with FILE:, it can be a path to a file that contains the plain-text encryption password.

These variables can be specified as command-line arguments to mariadbd, or they can be specified in a relevant server in an :

Choosing an Encryption Algorithm

The File Key Management plugin currently supports two encryption algorithms for encrypting data: AES_CBC and AES_CTR. Both of these algorithms use in different modes. AES uses 128-bit blocks, and supports 128-bit, 192-bit, and 256-bit keys. The modes are:

The AES_CBC mode uses AES in the mode.
The AES_CTR mode uses AES in two slightly different modes in different contexts. When encrypting tablespace pages (such as pages in InnoDB, XtraDB, and Aria tables), it uses AES in the mode. When encrypting temporary files (where the cipher text is allowed to be larger than the plain text), it uses AES in the authenticated .

The recommended algorithm is AES_CTR, but this algorithm is only available when MariaDB is built with . If the server is built with then this algorithm is not available. See for more information about which libraries are used on which platforms.

Configuring the Encryption Algorithm

The encryption algorithm can be configured by setting the system variable.

This system variable can be set to one of the following values:

System Variable Value

Description

This system variable can be specified as command-line arguments to mariadbd, or it can be specified in a relevant server in an . For example:

Note that the option prefix is specified. This option prefix is used in case the plugin hasn't been installed yet.

Note that this variable does not affect the algorithm that MariaDB uses to decrypt the key file. This variable only affects the encryption algorithm that MariaDB uses to encrypt and decrypt data. The only algorithm that MariaDB currently supports to encrypt the key file is mode of .

Using the File Key Management Plugin

Once the File Key Management Plugin is enabled, you can use it by creating an encrypted table:

Now, table t will be encrypted using the encryption key from the key file. For more information on how to use encryption, see .

Using Multiple Encryption Keys

The File Key Management Plugin supports . Each encryption key can be defined with a different 32-bit integer as a key identifier.

When , the key that is used to encrypt tables . When , the key that is used to encrypt tables .

Key Rotation

The plugin supports key rotation and allows an optional key version in the key file. The keys can be rotated using the FLUSH FILE_KEY_MANAGEMENT_KEYS statement, without needing to restart the server. The plugin remains compatible with old key file format, and when version is not specified, it defaults to version 1.

Generation of New Key Versions

How would new key versions be generated?

The plugin doesn't generate any encryption keys itself, and it doesn't have a backend KMS to generate encryption keys for it either.

Any encryption keys need to be generated by the user with external tools, such as OpenSSL. For example:

Keys need to be manually saved to the key file. See .

The format of the key file is simplistic. It stores encryption keys in a plain-text file.

Versions

Version

Status

Introduced

System Variables

`file_key_management_encryption_algorithm`

This system variable is used to determine which algorithm the plugin will use to encrypt data.
- The recommended algorithm is AES_CTR, but this algorithm is only available when MariaDB is built with . If the server is built with then this algorithm is not available. See for more information about which libraries are used on which platforms.
Command line: --file-key-management-encryption-algorithm=value

`file_key_management_digest`

Specifies the digest function to use in key derivation of the key used for decrypting the key file.
Command line: --file-key-management-digest=value
Scope: Global
Dynamic: No

`file_key_management_filekey`

Used to determine the encryption password that is used to decrypt the key file defined by .
- If this system variable's value is prefixed with FILE:, then it is interpreted as a path to a file that contains the plain-text encryption password.
- If this system variable's value is not prefixed with FILE:, then it is interpreted as the plain-text encryption password. However, this is not recommended.

`file_key_management_filename`

Used to determine the path to the file that contains the encryption keys. If is set, this file can be encrypted with mode of .
Command line: --file-key-management-filename=value
Scope: Global

`file_key_management_use_pbkdf2`

Specifies whether pbkdf2 is used in key derivation, and if so, how many iterations.
Command line: --file-key-management-use-pbkdf2=number
Scope: Global
Dynamic: No

Options

`file_key_management`

Controls how the server should treat the plugin when the server starts up.
- Valid values are:
  - OFF - Disables the plugin without removing it from the table.

_{This page is licensed: CC BY-SA / Gnu FDL}

Secure Connections Overview

Prior to MariaDB 11.4, by default, MariaDB transmits data between the server and clients without encrypting it. This is generally acceptable when the server and client run on the same host or in networks where security is guaranteed through other means. However, in cases where the server and client exist on separate networks or they are in a high-risk network, the lack of encryption does introduce security concerns as a malicious actor could potentially eavesdrop on the traffic as it is sent over the network between them.

To mitigate this concern, MariaDB allows you to encrypt data in transit between the server and clients using the Transport Layer Security (TLS) protocol. TLS was formerly known as Secure Socket Layer (SSL), but strictly speaking the SSL protocol is a predecessor to TLS and, that version of the protocol is now considered insecure. The documentation still uses the term SSL often and for compatibility reasons TLS-related server system and status variables still use the prefix ssl_, but internally, MariaDB only supports its secure successors.

Checking MariaDB Server for TLS Support

In order for MariaDB Server to use TLS, it needs to be compiled with TLS support. All MariaDB packages distributed by MariaDB Foundation and MariaDB Corporation are compiled with TLS support.

If you aren't sure whether your MariaDB Server binary was compiled with TLS support, then you can check the value of the system variable. For example:

The possible values are:

If it is DISABLED, then the server was compiled with TLS support, but TLS is not enabled.
If it is YES, then the server was compiled with TLS support, and TLS is enabled.
If it is NO, then the server was not compiled with TLS support.

TLS Libraries

When MariaDB is compiled with TLS and cryptography support, it is usually either statically linked with MariaDB's bundled TLS and cryptography library, which might be or , or dynamically linked with the system's TLS and cryptography library, which might be , , or .

See for more information about which libraries are used on which platforms.

TLS Protocol Versions

There are 4 versions of the TLS protocol:

TLSv1.0
TLSv1.1
TLSv1.2
TLSv1.3

Enabling Specific TLS Protocol Versions

In some cases, it might make sense to only enable specific TLS protocol versions. For example, it would make sense if your organization has to comply with a specific security standard. It would also make sense if a vulnerability is found in a specific TLS protocol version, and you would like to ensure that your server does not use the vulnerable protocol version.

The recommends using a minimum protocol version of TLSv1.2.

On the server side, users can enable specific TLS protocol versions by setting the system variable. This system variable accepts a comma-separated list of TLS protocol versions. A TLS protocol version will only be enabled if it is present in this list. All other TLS protocol versions will not be permitted. This system variable can be specified as a command-line argument to or it can be specified in a relevant server in an . For example:

You can check which TLS protocol versions are enabled on a server by executing . For example:

On the client side, users can enable specific TLS protocol versions by setting the --tls-version option. This option accepts a comma-separated list of TLS protocol versions. A TLS protocol version will only be enabled if it is present in this list. All other TLS protocol versions will not be permitted. For example, to specify this option in a relevant client in an , you could set the following:

Or if you wanted to specify it on the command-line with the client, then you could execute something like this:

TLS Protocol Version Support

The TLS protocol versions that are supported depend on the underlying TLS library used by the specific MariaDB binary.

TLS Library

Supported TLS Protocol Versions

See for more information about which libraries are used by the server and by clients on each platform.

TLS Protocol Version Support in OpenSSL

MariaDB binaries built with the library ( or later) support TLSv1.1 and TLSv1.2 since , , and .

MariaDB binaries built with the library ( or later) support TLSv1.3 since and .

If your MariaDB Server binary is built with , then you can set the system variable to values like SSLv3 or TLSv1.2 to allow all SSLv3.0 or all TLSv1.2 ciphers. However, this does not necessarily limit the protocol version to TLSv1.2. See for more information about that.

Note that the TLSv1.3 ciphers cannot be excluded when using , even by using the system variable. See for details.

SSLv3.0 is known to be vulnerable to the , so it should not be used. SSLv2.0 and SSLv3.0 are disabled for MariaDB Server binaries linked with since , , and . If you are using a MariaDB version older than that and you cannot upgrade, then please see the section titled "SSL 3.0 Fallback protection" in .

TLS Protocol Version Support in wolfSSL

MariaDB binaries built with the bundled library support TLSv1.0, TLSv1.1, TLSv1.2, and TLSv1.3.

TLS Protocol Version Support in yaSSL

MariaDB binaries built with the bundled library support SSLv3.0, TLSv1.0, and TLSv1.1.

SSLv3.0 is known to be vulnerable to the , so it should not be used. SSLv2.0 and SSLv3.0 are disabled for MariaDB Server binaries linked with since , , and .

TLS Protocol Version Support in Schannel

MariaDB binaries built with the library support different versions of TLS on different versions of Windows. See the documentation from Microsoft to determine which versions of TLS are supported on each version of Windows.

TLS Protocol Version Support in GnuTLS

MariaDB binaries built with the library support TLSv1.0, TLSv1.1, TLSv1.2, and TLSv1.3.

Enabling TLS

See for information on how to enable TLS on the client and server.

Certificate Verification

Certificate verification is how TLS authenticates its connections by verifying that it is talking to who it says it is. There are multiple components to this verification process:

Was the certificate signed by a trusted Certificate Authority (CA)?
Is the certificate expired?
Is the certificate on my Certificate Revocation List (CRL)?
Does the certificate belong to who I believe that I'm communicating with?

Certificate Authorities (CAs)

Certificate Authorities (CAs) are entities that you trust to sign TLS certificates. Your organization might have its own internal CA, or it might use trusted third-party CAs.

CAs are specified on the server and client by using the and options.

The option defines a path to a PEM file that should contain one or more X509 certificates for trusted Certificate Authorities (CAs). This option requires that you use the absolute path, not a relative path.

The option defines a path to a directory that contains one or more PEM files that should each contain one X509 certificate for a trusted Certificate Authority (CA). This option requires that you use the absolute path, not a relative path. The option is only supported if the server or client was built with , , or . If the client was built with or , then the option is not supported.

See for more information about which libraries are used on which platforms.

The directory specified by needs to be run through the command. For example, if the following is configured:

Then you would have to execute the following:

Requiring a Specific Certificate Authority (CA)

The server can require a specific Certificate Authority (CA) for a client if the client's user account has been defined with REQUIRE ISSUER. See for more information.

Certificate Revocation Lists (CRLs)

Certificate Revocation Lists (CRLs) are lists of certificates that have been revoked by the Certificate Authority (CA) before they were due to expire.

CRLs are specified on the server and client by using the and options.

The option defines a path to a PEM file that should contain one or more X509 revoked certificates. This option requires that you use the absolute path, not a relative path. For servers, the option is only valid if the server was built with OpenSSL. If the server was built with or , then the option is not supported. For clients, the option is only valid if the client was built with or . Likewise, if the client was built with , or , then the option is not supported.

The option defines a path to a directory that contains one or more PEM files that should each contain one revoked X509 certificate. This option requires that you use the absolute path, not a relative path. The option is only supported if the server or client was built with . If the server was built with or , then the option is not supported. Likewise, if the client was built with , , , or , then the option is not supported.

See for more information about which libraries are used on which platforms.

The directory specified by needs to be run through the command. For example, if the following is configured:

Then you would have to execute the following:

Server Certificate Verification

Normally the TLS implementation performs numerous checks to verify whether the certificate is valid. It should be within its validity period, not revoked, signed by a trusted certificate authority, belong to the host that uses it.

enable all these checks by default. Last two checks can be disabled with an option, such as disable-ssl-verify-server-cert. Before , all server certificate verification checks were disabled by default, and could be enabled with the ssl-verify-server-cert option.

To verify whether the server's certificate belong to server's host, will check the Common Name (CN) attribute located in the field of the certificate against the server's host name and IP address. If the Common Name (CN) matches either of those, then the certificate is verified.

Server Certificate Verification with Subject Alternative Names (SANs)

The field, which is an X.509v3 extension, can also be used for server certificate verification, if it is present in the server certificate. This field is also sometimes called subjectAltName. When using a that supports server certificate verification with subjectAltName fields, if the server certificate contains any subjectAltName fields, then those fields will also be checked against the server's host name and IP address.

Whether server certificate verification with subjectAltName fields is supported depends on the underlying TLS library used by the .

See for more information about which libraries are used on which platforms.

SAN Support with OpenSSL, wolfSSL, and yaSSL

For built with ( or later), support for server certificate verification with subjectAltName fields that contain the server's host name was added in and . See for more information.

For built with ( or later), support for server certificate verification with subjectAltName fields that contain the server's IP address was added in , , , and . See for more information.

This support also applies to other TLS libraries that use OpenSSL's API. In OpenSSL's API, server certificate verification with subjectAltName fields depends on the and functions. These functions are supported in the following TLS libraries:

1.0.2 or later

And they are not supported in the following TLS libraries:

MariaDB's were built with 1.0.1 on RHEL 7 and CentOS 7, even after OpenSSL 1.0.2 became available on those distributions. As a side effect, the bundled in these packages did not support server certificate verification with the subjectAltName field, even if the packages were installed on a system that had OpenSSL 1.0.2 installed. Starting with MariaDB , , , and , MariaDB's on RHEL 7 and CentOS 7 are built with OpenSSL 1.0.2. See for more information.

SAN Support with Schannel

For linked with , support for server certificate verification with subjectAltName fields was added in 3.0.2. See for more information.

SAN Support with GnuTLS

For linked with GnuTLS, support for server certificate verification with subjectAltName fields was added in 3.0.0. See for more information.

Client Certificate Verification

The server verifies a client certificate by checking the client's known SUBJECT against the Subject attribute in the client's certificate. This is only done for user accounts that have been defined with REQUIRE SUBJECT. See for more information.

Encryption

TLS and Cryptography Libraries Used by MariaDB

Checking Dynamically vs. Statically Linked

Data-in-Transit Encryption

Certificate Creation with OpenSSL

Certificate Creation

Creating a Certificate Authority Private Key and Certificate

Creating a Private Key and a Self-signed Certificate

Certificate Verification

Enabling TLS on MariaDB Server

Overview

Enabling TLS

Requiring TLS on MariaDB Server

Overview

Using TLSv1.3

See Also

Data-at-Rest Encryption

Why Encrypt MariaDB Data?

When Does Encryption Help to Protect Your Data?

When is Encryption No Help?

What to Encrypt?

How to Handle Key Management?

Aria Encryption

Aria Encryption Overview

Basic Configuration

Determining Whether a Table is Encrypted

Encryption and the Aria Log

Aria Disabling Encryption

Disabling Encryption on User-created Tables

Disabling Encryption for Internal On-disk Temporary Tables

Aria Enabling Encryption

Encrypting User-created Tables

Aria Encryption Keys

Encryption Keys

Key Rotation

InnoDB Encryption

Key Management and Encryption Plugins

Disabling Data-at-Rest Encryption for Standalone Servers

Decrypt Aria Tables

Decrypt InnoDB Tables

Decrypt Binary Logs

Uninstall Key Management Plugins

Data-in-Transit Encryption

Encryption

Certificate Creation with OpenSSL

Certificate Creation

Creating a Certificate Authority Private Key and Certificate

Creating a Private Key and a Self-signed Certificate

Certificate Verification

Data-at-Rest Encryption

InnoDB Encryption

Aria Encryption

Enabling TLS on MariaDB Server

Overview

Enabling TLS

Requiring TLS on MariaDB Server

Overview

TLS and Cryptography Libraries Used by MariaDB

Checking Dynamically vs. Statically Linked

Key Management and Encryption Plugins

Checking If the Server Uses OpenSSL

Checking the Server's OpenSSL Version

FIPS Certification

FIPS Certification by OpenSSL

FIPS Certification by wolfSSL

FIPS Certification by yaSSL

Libraries Used by Each Platform and Package

MariaDB Server

MariaDB Server on Windows

MariaDB Server on Linux

MariaDB Clients and Utilities

MariaDB Clients and Utilities on Windows

MariaDB Clients and Utilities on Linux

Updating Dynamically Linked OpenSSL Libraries on Linux

Updating Dynamically Linked OpenSSL Libraries with yum/dnf

Updating Dynamically Linked OpenSSL Libraries with apt-get

Updating Dynamically Linked OpenSSL Libraries with zypper

Why Encrypt MariaDB Data?

When Does Encryption Help to Protect Your Data?

When is Encryption No Help?

Using `mysqlbinlog` to decrypt