InnoDB / XtraDB Encryption Overview
MariaDB supports data-at-rest encryption for tables using the InnoDB and XtraDB storage engines. When enabled, the server encrypts data when it writes it to and decrypts data when it reads it from the file system.
For encrypting data with the Aria storage engine, see Encrypting Data for Aria.
Basic Configuration
Using data-at-rest encryption requires that you first configure an Encryption Key Management plugin, such as the file_key_management
or aws_key_management
plugins.
MariaDB uses this plugin to store, retrieve and manage the various keys it uses when encrypting data to and decrypting data from the file system.
Once you have the plugin configured, you need to set a few additional system variables to enable encryption on InnoDB and XtraDB tables, including innodb_encrypt_tables
, innodb_encrypt_logs
, innodb_encryption_threads
, and innodb_encryption_rotate_key_age
.
[mariadb] ... # File Key Management plugin_load_add = file_key_management file_key_management_filename = /etc/mysql/keys.enc file_key_management_filekey = FILE:/etc/mysql/.key file_key_management_encryption_algorithm = aes_cbc # InnoDB/XtraDB Encryption innodb_encrypt_tables = ON innodb_encrypt_log = ON innodb_encryption_threads = 4 innodb_encryption_rotate_key_age = 1
For more information on system variables for encryption and other features, see the InnoDB system variables page.
Seeing Which Tables are Encrypted
The Information Schema INNODB_TABLESPACES_ENCRYPTION table gives encryption information about InnoDB tables, including which tables are encrypted.
For example:
SELECT * FROM information_schema.innodb_tablespaces_encryption\G *************************** 1. row *************************** SPACE: 9 NAME: test/t3 ENCRYPTION_SCHEME: 1 KEYSERVER_REQUESTS: 1 MIN_KEY_VERSION: 1 CURRENT_KEY_VERSION: 1 KEY_ROTATION_PAGE_NUMBER: NULL KEY_ROTATION_MAX_PAGE_NUMBER: NULL CURRENT_KEY_ID: 1 ROTATING_OR_FLUSHING: 0 ... *************************** 3. row *************************** SPACE: 11 NAME: test/t5 ENCRYPTION_SCHEME: 0 KEYSERVER_REQUESTS: 0 MIN_KEY_VERSION: 0 CURRENT_KEY_VERSION: 1 KEY_ROTATION_PAGE_NUMBER: NULL KEY_ROTATION_MAX_PAGE_NUMBER: NULL CURRENT_KEY_ID: 1 ROTATING_OR_FLUSHING: 0 *************************** 4. row *************************** SPACE: 12 NAME: test/t6 ENCRYPTION_SCHEME: 1 KEYSERVER_REQUESTS: 1 MIN_KEY_VERSION: 1 CURRENT_KEY_VERSION: 1 KEY_ROTATION_PAGE_NUMBER: NULL KEY_ROTATION_MAX_PAGE_NUMBER: NULL CURRENT_KEY_ID: 3 ROTATING_OR_FLUSHING: 0