InnoDB / XtraDB Encryption Overview
MariaDB supports data-at-rest encryption for tables using the InnoDB and XtraDB storage engines. When enabled, the server encrypts data when it writes it to and decrypts data when it reads it from the file system.
For encrypting data with the Aria storage engine, see Encrypting Data for Aria.
Basic Configuration
Using data-at-rest encryption requires that you first configure an Encryption Key Management plugin, such as the file_key_management
or aws_key_management
plugins.
With the plugin configured to manage your encryption keys, you need to set a few additional system variables to enable encryption on InnoDB and XtraDB tables, including innodb_encrypt_tables
, innodb_encrypt_logs
, innodb_encryption_threads
, and innodb_encryption_rotate_key_age
.
For more information on system variables for encryption and other features, see the InnoDB system variables page.
[mariadb] ... # File Key Management plugin_load_add = file_key_management file_key_management_filename = /etc/mysql/keys.enc file_key_management_filekey = FILE:/etc/mysql/.key file_key_management_encryption_algorithm = aes_cbc # InnoDB/XtraDB Encryption innodb_encrypt_tables = ON innodb_encrypt_log = ON innodb_encryption_threads = 4 innodb_encryption_rotate_key_age = 1
Seeing Which Tables are Encrypted
The Information Schema INNODB_TABLESPACES_ENCRYPTION table gives encryption information about InnoDB tables, including which tables are encrypted.
For example:
SELECT * FROM information_schema.innodb_tablespaces_encryption\G *************************** 1. row *************************** SPACE: 9 NAME: test/t3 ENCRYPTION_SCHEME: 1 KEYSERVER_REQUESTS: 1 MIN_KEY_VERSION: 1 CURRENT_KEY_VERSION: 1 KEY_ROTATION_PAGE_NUMBER: NULL KEY_ROTATION_MAX_PAGE_NUMBER: NULL CURRENT_KEY_ID: 1 ROTATING_OR_FLUSHING: 0 ... *************************** 3. row *************************** SPACE: 11 NAME: test/t5 ENCRYPTION_SCHEME: 0 KEYSERVER_REQUESTS: 0 MIN_KEY_VERSION: 0 CURRENT_KEY_VERSION: 1 KEY_ROTATION_PAGE_NUMBER: NULL KEY_ROTATION_MAX_PAGE_NUMBER: NULL CURRENT_KEY_ID: 1 ROTATING_OR_FLUSHING: 0 *************************** 4. row *************************** SPACE: 12 NAME: test/t6 ENCRYPTION_SCHEME: 1 KEYSERVER_REQUESTS: 1 MIN_KEY_VERSION: 1 CURRENT_KEY_VERSION: 1 KEY_ROTATION_PAGE_NUMBER: NULL KEY_ROTATION_MAX_PAGE_NUMBER: NULL CURRENT_KEY_ID: 3 ROTATING_OR_FLUSHING: 0