AWS Key management encryption plugin
AWS Key Management plugin uses AWS Key management service for encryption at rest.
Plugin uses AWS Key management service to generate and store AES keys on disk, in encrypted for. Plugin will decrypt them in memory, using AWS KMS "Decrypt" API function, and MariaDB data will then be decrypted using AES and plaintext key.
Preparations
- Before you use the plugin, you need to create a master key (CMK) for IAM AWS user. You can create a key using AWS console as described in the
- Make sure that mysql runs under correct AWS indentity that has access to the above key. For example, you can store the AWS credentials in a AWS credentials file for user who runs mysqld . more information about the credentials file can be found here
Building from from source
Currently, the plugin is only distributed in source form, and is disabled by default.
To compile it yourself, pass -DPLUGIN_AWS_KEY_MANAGEMENT=DYNAMIC or -DPLUGIN_AWS_KEY_MANAGEMENT=DYNAMIC to CMake arguments. (static will make the plugin builtin) To build the plugin, one of the following compilers can be used :
- gcc4.8 or later,
- clang 3.3 or later
- Visual Studio 2013 or later
Using plugin.
- add following lines to my.ini/my.cnf
plugin-load-add=aws_key_management # if plugin is built dynamically aws_key_management_master_key_id=9f5376b2-dc45-4462-9b5e-e03ca369b0f9 #use your own key id here
- start mysqld
- create table, with encryption
CREATE TABLE t (i int) engine Innodb encrypted=YES
Now, table t will be encrypted using data key generated by AWS
Multiple keys IDs are supported, i.e ENCRYPTION_KEY_ID=<number>
can be passed to CREATE TABLE command
Plugin variables
- aws_key_management_master_key_id - AWS KMS Customer Master Key ID (ARN or alias prefixed by alias/) for master encryption key. Used to create new data keys. If not set, no new data keys will be created.
- aws_key_management_rotate_key - Set this variable to a data key ID to perform rotation of the key to the master key given in aws_key_management_master_key_id. Specify -1 to rotate all keys.
- aws_key_management_key_spec - Encryption algorithm used to create new keys. Allowed values are AES_128 (default) or AES_256.
- aws_key_management_log_level - Logging for AWS API. Allowed values, in increasing verbosity, are "Off" (default), "Fatal", "Error", "Warn", "Info", "Debug", and "Trace".