The Ultimate Guide to High Availability with MariaDB

AWS Key management encryption plugin

You are viewing an old version of this article. View the current version here.

AWS Key Management plugin uses AWS Key management service for encryption at rest.

Plugin uses AWS Key management service to generate and store AES keys on disk, in encrypted for. Plugin will decrypt them in memory, using AWS KMS "Decrypt" API function, and MariaDB data will then be decrypted using AES and plaintext key.

Preparations

  • Before you use the plugin, you need to create a master key (CMK) for IAM AWS user. You can create a key using AWS console as described in the

AMS KMS developer guide

  • Make sure that mysql runs under correct AWS indentity that has access to the above key. For example, you can store the AWS credentials in a AWS credentials file for user who runs mysqld . more information about the credentials file can be found here

Building from from source

Currently, the plugin is only distributed in source form, and is disabled by default.

To compile it yourself, pass -DPLUGIN_AWS_KEY_MANAGEMENT=DYNAMIC or -DPLUGIN_AWS_KEY_MANAGEMENT=DYNAMIC to CMake arguments. (static will make the plugin builtin) To build the plugin, one of the following compilers can be used :

  • gcc4.8 or later,
  • clang 3.3 or later
  • Visual Studio 2013 or later

Using plugin.

  • add following lines to my.ini/my.cnf 
plugin-load-add=aws_key_management  # if plugin is built dynamically
aws_key_management_master_key_id=9f5376b2-dc45-4462-9b5e-e03ca369b0f9 #use your own key id here
  • start mysqld
  • create table, with encryption 
CREATE TABLE t (i int) engine Innodb encrypted=YES

Now, table t will be encrypted using data key generated by AWS

Multiple keys IDs are supported, i.e ENCRYPTION_KEY_ID=<number> can be passed to CREATE TABLE command

Plugin variables

  • aws_key_management_master_key_id - AWS KMS Customer Master Key ID (ARN or alias prefixed by alias/) for master encryption key. Used to create new data keys. If not set, no new data keys will be created.
  • aws_key_management_rotate_key - Set this variable to a data key ID to perform rotation of the key to the master key given in aws_key_management_master_key_id. Specify -1 to rotate all keys.
  • aws_key_management_key_spec - Encryption algorithm used to create new keys. Allowed values are AES_128 (default) or AES_256.
  • aws_key_management_log_level - Logging for AWS API. Allowed values, in increasing verbosity, are "Off" (default), "Fatal", "Error", "Warn", "Info", "Debug", and "Trace".

Comments

Comments loading...
Content reproduced on this site is the property of its respective owners, and this content is not reviewed in advance by MariaDB. The views, information and opinions expressed by this content do not necessarily represent those of MariaDB or any other party.