The Ultimate Guide to High Availability with MariaDB

Aria Enabling Encryption

You are viewing an old version of this article. View the current version here.

Enabling Encryption for Automatically Encrypted Tables

Enabling Encryption for User-created Tables

For tables that use the Aria storage engine, you can only enable data-at-rest encryption for those tables that have the ROW_FORMAT table option set to PAGE, (which is the default). Encryption is not available for Aria tables where ROW_FORMAT is set to DYNAMIC or FIXED.

Enabling encryption of Aria tables is done by setting aria_encrypt_tables=ON. When this is set, all Aria tables that have ROW_FORMAT=PAGE that are created from that point forward will be automatically encrypted.

Encrypting Pre-existing Aria Tables

The InnoDB storage engine has background encryption threads that allow the storage engine to automatically perform encryption changes in the background as the configuration changes. Aria does not currently have anything like that.

If you want to encrypt pre-existing Aria tables after a configuration change, then it will take a bit more work.

First, set aria_encrypt_tables=ON:

SET GLOBAL aria_encrypt_tables=ON;

Then, find any Aria tables that use the PAGE ROW_FORMAT:

SELECT TABLE_SCHEMA, TABLE_NAME 
FROM information_schema.TABLES 
WHERE ENGINE='Aria' 
AND ROW_FORMAT='PAGE'
AND TABLE_SCHEMA != 'information_schema';

Then, for each table in the results, rebuild the table:

ALTER TABLE aria_tab ENGINE=Aria ROW_FORMAT=PAGE;

When the table is rebuilt, it will be encrypted.

Enabling Encryption for Internal On-disk Temporary Tables

MariaDB regularly creates internal temporary tables during the execution of queries. These internal temporary tables tables will initially use the MEMORY storage engine, which stores all table data in memory. When the table size exceeds max_heap_table_size, MariaDB writes the data to disk using another storage engine. If aria_used_for_temp_tables=ON is set, then MariaDB will use the Aria storage engine for this.

Encryption for these temporary tables is handled separately from encryption for user-created tables. It can be enabled by setting encrypt_tmp_disk_tables=ON. If this is enabled, then internal on-disk temporary tables that use Aria will be automatically encrypted.

Enabling Encryption for Manually Encrypted Tables

Aria does not currently support the ENCRYPTED and ENCRYPTION_KEY_ID table options, so manually choosing which Aria tables to encrypt is not currently supported. See MDEV-18049 about that.

The InnoDB storage engine does support these options.

Comments

Comments loading...
Content reproduced on this site is the property of its respective owners, and this content is not reviewed in advance by MariaDB. The views, information and opinions expressed by this content do not necessarily represent those of MariaDB or any other party.