Aria Encryption Keys
Contents
As with other storage engines that support data-at-rest encryption, Aria relies on a Encryption Key Management plugin to handle its encryption keys. Where the support is available, Aria can use multiple keys.
Key Selection
MariaDB keeps track of each encryption key internally using a 32-bit integer, which serves as the key identifier. Unlike InnoDB, Aria does not support the ENCRYPTION_KEY_ID
table option, which allows the user to specify the encryption key to use. Instead, Aria defaults to specific encryption keys provided by the Encryption Key Management plugin.
- When working with user-created tables, Aria encrypts them to disk using the ID 1 key.
- When working with internal temporary tables written to disk, Aria encrypts them to disk using the ID 2 key, unless there is no ID 2 key, then it falls back on the ID 1 key.
Key Rotation
Some Encryption Key Management plugins support automatic key versioning and rotation. The AWS Key Management plugin supports key rotation. The File Key Management plugin does not.
In addition to the plugin, while InnoDB supports the use of background encryption threads, Aria currently does not. When the plugin rotates keys, InnoDB automatically re-encrypts pages to use the new encryption key. However, Aria does not have a similar mechanism, meaning the tables remain on disk encrypted under the older version of the key.