Encryption for Binary Logs
Contents
Basic Configuration
Since MariaDB 10.1.7, MariaDB can also encrypt binary logs (including relay logs). Encryption of binary logs is configured by the encrypt_binlog
system variable.
# vi /etc/my.cnf [mysqld] ... encrypt_binlog=ON
Enabling Encryption
Encryption of binary logs can be enabled by doing the following process.
- First, stop the server.
- Then, set
encrypt_binlog=ON
in the MariaDB configuration file.
- Then, start the server.
From that point forward, any new binary logs will be encrypted. To delete old unencrypted binary logs, you can use RESET MASTER
or PURGE BINARY LOGS
.
Disabling Encryption
Encryption of binary logs can be disabled by doing the following process.
- First, stop the server.
- Then, set
encrypt_binlog=OFF
in the MariaDB configuration file.
- Then, start the server.
From that point forward, any new binary logs will be unencrypted. If you would like the server to continue to have access to old encrypted binary logs, then make sure to keep your key management plugin loaded.
Effects of Encryption on mysqlbinlog
mysqlbinlog does not currently have the ability to decrypt encrypted binary logs on its own (see MDEV-8813 about that). In order to use mysqlbinlog with encrypted binary logs, you have to use the --read-from-remote-server
command-line option, so that the server can decrypt the binary logs for mysqlbinlog.