AWS Key Management Encryption Plugin

You are viewing an old version of this article. View the current version here.
MariaDB starting with 10.1.13

This plugin was first available (in the source only) from MariaDB 10.1.13.

The AWS Key Management plugin uses the Amazon Web Services (AWS) Key Management Service (KMS) for encryption at rest.

The plugin uses AWS Key management service to generate and store AES keys on disk, in encrypted form. The plugin will decrypt them in memory, using the AWS KMS "Decrypt" API function, and MariaDB data will then be decrypted using AES and plaintext key.

The AWS KMS plugin is included in MariaDB Enterprise packages, on OSs where it can be built, starting with MariaDB Enterprise 10.1.13. For more information, consult the Amazon Web Services (AWS) Key Management Service (KMS) Encryption Plugin Setup Guide.


  • Before you use the plugin, you need to create a master key (CMK) for the IAM AWS user. You can create a key using the AWS console as described in the AMS KMS developer guide
  • Make sure that mysql runs under the correct AWS identity that has access to the above key. For example, you can store the AWS credentials in a AWS credentials file for the user who runs mysqld . More information about the credentials file can be found here

Building from source

Currently, the plugin is only distributed in source form, and is disabled by default.

To compile it yourself, pass -DPLUGIN_AWS_KEY_MANAGEMENT=DYNAMIC or -DPLUGIN_AWS_KEY_MANAGEMENT=STATIC to the CMake arguments (static will make the plugin builtin).

The plugin uses AWS C++ SDK, which induces the following restrictions:

  • The plugin can only be built on Windows, Linux or OSX.
  • The plugin requires that one of the following compilers is used: gcc 4.8 or later, clang 3.3 or later, Visual Studio 2013 or later.
  • On Unix, the libcurl development package and openssl need to be installed.

Using the plugin

  • add the following lines to my.ini/my.cnf
plugin-load-add=aws_key_management  # if plugin is built dynamically
aws_key_management_master_key_id=9f5376b2-dc45-4462-9b5e-e03ca369b0f9 #use your own key id here
  • start mysqld
  • create table, with encryption
CREATE TABLE t (i int) engine Innodb encrypted=YES

Now, table t will be encrypted using the data key generated by AWS.

Multiple keys IDs are supported, i.e ENCRYPTION_KEY_ID=<number> can be passed to the CREATE TABLE command.

Plugin variables


  • Description: AWS KMS Customer Master Key ID (ARN or alias prefixed by alias/) for the master encryption key. Used to create new data keys. If not set, no new data keys will be created.


  • Description: Set this variable to a data key ID to perform rotation of the key to the master key given in aws_key_management_master_key_id. Specify -1 to rotate all keys.


  • Description: Encryption algorithm used to create new keys
  • Default Value: AES_128
  • Valid Values: AES_128, AES_256


  • Description: Dump log of the AWS SDK to MariaDB error log. Permitted values, in increasing verbosity, are "Off" (default), "Fatal", "Error", "Warn", "Info", "Debug", and "Trace".
  • Default Value: Off
  • Valid Values: Off, Fatal, Warn, Info, Debug and Trace


Comments loading...
Content reproduced on this site is the property of its respective owners, and this content is not reviewed in advance by MariaDB. The views, information and opinions expressed by this content do not necessarily represent those of MariaDB or any other party.