AWS Key Management Encryption Plugin

MariaDB starting with 10.1.13

The AWS Key Management plugin was first added to the MariaDB source code in MariaDB 10.1.13. The plugin was first provided in binary packages with MariaDB 10.2.6.

MariaDB's data-at-rest encryption requires the use of a key management and encryption plugin. These plugins are responsible both for the management of encryption keys and for the actual encryption and decryption of data.

MariaDB supports the use of multiple encryption keys. Each encryption key uses a 32-bit integer as a key identifier. If the specific plugin supports key rotation, then encryption keys can also be rotated, which creates a new version of the encryption key.

The AWS Key Management plugin is a key management and encryption plugin that uses the Amazon Web Services (AWS) Key Management Service (KMS).

Overview

The AWS Key Management plugin uses the Amazon Web Services (AWS) Key Management Service (KMS) to generate and store AES keys on disk, in encrypted form, using the Customer Master Key (CMK) kept in AWS KMS. When MariaDB Server starts, the plugin will decrypt the encrypted keys, using the AWS KMS "Decrypt" API function. MariaDB data will then be encrypted and decrypted using the AES key. It supports multiple encryption keys. It supports key rotation.

Tutorials

Tutorials related to the AWS Key Management plugin can be found at the following pages:

Preparation

  • Before you use the plugin, you need to create a Customer Master Key (CMK). Create a key using the AWS Console as described in the AMS KMS developer guide.
  • The easiest way to give the AWS key management plugin access to the key is to create an IAM Role with access to the key, and to apply that IAM Role to an EC2 instance where MariaDB Server runs.
  • Make sure that MariaDB Server runs under the correct AWS identity that has access to the above key. For example, you can store the AWS credentials in a AWS credentials file for the user who runs mysqld. More information about the credentials file can be found in the AWS CLI Getting Started Guide.

Installing the Plugin's Package

The AWS Key Management plugin's shared library is included in MariaDB packages as the aws_key_management.so or aws_key_management.dll shared library on systems where it can be built. The plugin is not provided in packages for MariaDB 10.1, but it is provided in packages for MariaDB 10.2 and later, at least for environments where the plugin is supported. The plugin was first included in MariaDB 10.2.6.

Installing on Linux

The AWS Key Management plugin is included in binary tarballs on Linux.

Installing with a Package Manager

The AWS Key Management plugin can also be installed via a package manager on Linux. In order to do so, your system needs to be configured to install from one of the MariaDB repositories.

You can configure your package manager to install it from MariaDB Corporation's MariaDB Package Repository by using the MariaDB Package Repository setup script.

You can also configure your package manager to install it from MariaDB Foundation's MariaDB Repository by using the MariaDB Repository Configuration Tool.

Installing with yum/dnf

On RHEL, CentOS, Fedora, and other similar Linux distributions, it is highly recommended to install the relevant RPM package from MariaDB's repository using yum or dnf. Starting with RHEL 8 and Fedora 22, yum has been replaced by dnf, which is the next major version of yum. However, yum commands still work on many systems that use dnf. For example:

sudo yum install MariaDB-aws-key-management
Installing with apt-get

On Debian, Ubuntu, and other similar Linux distributions, it is highly recommended to install the relevant DEB package from MariaDB's repository using apt-get. For example:

sudo apt-get install mariadb-plugin-aws-key-management-10.3
Installing with zypper

On SLES, OpenSUSE, and other similar Linux distributions, it is highly recommended to install the relevant RPM package from MariaDB's repository using zypper. For example:

sudo zypper install MariaDB-aws-key-management

Installing on Windows

The AWS Key Management plugin is included in MSI and ZIP packages on Windows.

Installing from Source

When compiling MariaDB from source, the AWS Key Management plugin is not built by default in MariaDB 10.1, but it is built by default in MariaDB 10.2 and later, on systems that support it.

Compilation is controlled by the -DPLUGIN_AWS_KEY_MANAGEMENT=DYNAMIC -DAWS_SDK_EXTERNAL_PROJECT=1 cmake arguments.

The plugin uses AWS C++ SDK, which introduces the following restrictions:

  • The plugin can only be built on Windows, Linux and macOS.
  • The plugin requires that one of the following compilers is used: gcc 4.8 or later, clang 3.3 or later, Visual Studio 2013 or later.
  • On Unix, the libcurl development package (e.g. libcurl3-dev on Debian Jessie), uuid development package and openssl need to be installed.
  • You may need to use a newer version of cmake than is provided by default in your OS.

Installing the Plugin

Even after the package that contains the plugin's shared library is installed on the operating system, the plugin is not actually installed by MariaDB by default. There are two methods that can be used to install the plugin with MariaDB.

The first method can be used to install the plugin without restarting the server. You can install the plugin dynamically by executing INSTALL SONAME or INSTALL PLUGIN. For example:

INSTALL SONAME 'aws_key_management';

The second method can be used to tell the server to load the plugin when it starts up. The plugin can be installed this way by providing the --plugin-load or the --plugin-load-add options. This can be specified as a command-line argument to mysqld or it can be specified in a relevant server option group in an option file. For example:

[mariadb]
...
plugin_load_add = aws_key_management

Uninstalling the Plugin

Before you uninstall the plugin, you should ensure that data-at-rest encryption is completely disabled, and that MariaDB no longer needs the plugin to decrypt tables or other files.

You can uninstall the plugin dynamically by executing UNINSTALL SONAME or UNINSTALL PLUGIN. For example:

UNINSTALL SONAME 'aws_key_management';

If you installed the plugin by providing the --plugin-load or the --plugin-load-add options in a relevant server option group in an option file, then those options should be removed to prevent the plugin from being loaded the next time the server is restarted.

Configuring the AWS Key Management Plugin

To enable the AWS Key Management plugin, you also need to set the plugin's system variables. The aws_key_management_master_key_id system variable is the primary one to set. These system variables can be specified as command-line arguments to mysqld or they can be specified in a relevant server option group in an option file. For example:

[mariadb]
...
aws_key_management_master_key_id=alias/<your key's alias>

Once you've updated the configuration file, restart the MariaDB server to apply the changes and make the key management and encryption plugin available for use.

Using the AWS Key Management Plugin

Once the AWS Key Management Plugin is enabled, you can use it by creating an encrypted table:

CREATE TABLE t (i int) ENGINE=InnoDB ENCRYPTED=YES

Now, table t will be encrypted using the encryption key generated by AWS.

For more information on how to use encryption, see Data at Rest Encryption.

Using Multiple Encryption Keys

The AWS Key Management Plugin supports using multiple encryption keys. Each encryption key can be defined with a different 32-bit integer as a key identifier. If a previously unused identifier is used, then the plugin will automatically generate a new key.

When encrypting InnoDB tables, the key that is used to encrypt tables can be changed.

When encrypting Aria tables, the key that is used to encrypt tables cannot currently be changed.

Rotating Keys

The AWS Key Management plugin does support key rotation. To rotate a key, set the aws_key_management_rotate_key system variable. For example, to rotate key with ID 2:

SET GLOBAL aws_key_management_rotate_key=2;

Or to rotate all keys, set the value to -1:

SET GLOBAL aws_key_management_rotate_key=-1;

Versions

VersionStatusIntroduced
1.0StableMariaDB 10.2.6, MariaDB 10.1.24
1.0BetaMariaDB 10.1.18
1.0ExperimentalMariaDB 10.1.13

System Variables

aws_key_management_master_key_id

  • Description: AWS KMS Customer Master Key ID (ARN or alias prefixed by alias/) for the master encryption key. Used to create new data keys. If not set, no new data keys will be created.
  • Commandline: --aws-key-management-master-key-id=value
  • Scope: Global
  • Dynamic: No
  • Data Type: string
  • Default Value:

aws_key_management_request_timeout

  • Description: Timeout in milliseconds for create HTTPS connection or execute AWS request. Specify 0 to use SDK default.
  • Commandline: --aws-key-management-request-timeout=value
  • Scope: Global
  • Dynamic: No
  • Data Type: integer
  • Default Value: 0

aws_key_management_rotate_key

  • Description: Set this variable to a data key ID to perform rotation of the key to the master key given in aws_key_management_master_key_id. Specify -1 to rotate all keys.
  • Commandline: --aws-key-management-rotate-key=value
  • Scope: Global
  • Dynamic: Yes
  • Data Type: integer
  • Default Value:

aws_key_management_region

  • Description: AWS region name, e.g us-east-1 . Default is SDK default, which is us-east-1.
  • Commandline: --aws-key-management-region=value
  • Scope: Global
  • Dynamic: No
  • Data Type: string
  • Default Value: 'us-east-1'

aws_key_management_key_spec

  • Description: Encryption algorithm used to create new keys
  • Commandline: --aws-key-management-key-spec=value
  • Scope: Global
  • Dynamic: No
  • Data Type: enumerated
  • Default Value: AES_128
  • Valid Values: AES_128, AES_256

aws_key_management_log_level

  • Description: Dump log of the AWS SDK to MariaDB error log. Permitted values, in increasing verbosity, are Off (default), Fatal, Error, Warn, Info, Debug, and Trace.
  • Commandline: --aws-key-management-log-level=value
  • Scope: Global
  • Dynamic: No
  • Data Type: enumerated
  • Default Value: Off
  • Valid Values: Off, Fatal, Warn, Info, Debug and Trace

aws_key_management_mock

  • Description: Mock AWS KMS calls (for testing). Must be enabled at compile-time.
  • Commandline: --aws-key-management-mock
  • Scope: Global
  • Dynamic: No
  • Data Type: boolean
  • Default Value: OFF
  • Valid Values: OFF, ON

Comments

Comments loading...