Aria Encryption Keys
As with other storage engines that support data-at-rest encryption, Aria relies on a Encryption Key Management plugin to handle its encryption keys. Where the support is available, Aria can use multiple keys.
MariaDB keeps track of each encryption key internally using a 32-bit integer, which serves as the key identifier. Unlike InnoDB, Aria does not support the
ENCRYPTION_KEY_ID table option, which allows the user to specify the encryption key to use. Instead, Aria defaults to specific encryption keys provided by the Encryption Key Management plugin.
- When working with user-created tables, Aria encrypts them to disk using the ID 1 key.
- When working with internal temporary tables written to disk, Aria encrypts them to disk using the ID 2 key, unless there is no ID 2 key, then it falls back on the ID 1 key.
In addition to the plugin, while InnoDB supports the use of background encryption threads, Aria currently does not (see MDEV-18971 about that). When the plugin rotates keys, InnoDB automatically re-encrypts pages to use the new encryption key. However, Aria does not have a similar mechanism, meaning the tables remain on disk encrypted under the older version of the key.