Aria Encryption Keys
As with other storage engines that support data-at-rest encryption, Aria relies on an Encryption Key Management plugin to handle its encryption keys. Where the support is available, Aria can use multiple keys.
MariaDB keeps track of each encryption key internally using a 32-bit integer, which serves as the key identifier. Unlike InnoDB, Aria does not support the
ENCRYPTION_KEY_ID table option (for more information, see MDEV-18049), which allows the user to specify the encryption key to use. Instead, Aria defaults to specific encryption keys provided by the Encryption Key Management plugin.
- When working with user-created tables, Aria encrypts them to disk using the ID 1 key.
- When working with internal temporary tables written to disk, Aria encrypts them to disk using the ID 2 key, unless there is no ID 2 key, then it falls back on the ID 1 key.
In addition to the plugin, while InnoDB supports the use of background encryption threads, Aria currently does not (for more information, see MDEV-18971). When the plugin rotates keys, InnoDB automatically re-encrypts pages to use the new encryption key. However, Aria does not have a similar mechanism, meaning the tables remain on disk encrypted under the older version of the key.