InnoDB / XtraDB Encryption Overview

MariaDB supports data-at-rest encryption for tables using the InnoDB and XtraDB storage engines. When enabled, the server encrypts data when it writes it to and decrypts data when it reads it from the file system.

For encrypting data with the Aria storage engine, see Encrypting Data for Aria.

Basic Configuration

Using data-at-rest encryption requires that you first configure an Encryption Key Management plugin, such as the file_key_management or aws_key_management plugins. MariaDB uses this plugin to store, retrieve and manage the various keys it uses when encrypting data to and decrypting data from the file system.

Once you have the plugin configured, you need to set a few additional system variables to enable encryption on InnoDB and XtraDB tables, including innodb_encrypt_tables, innodb_encrypt_logs, innodb_encryption_threads, and innodb_encryption_rotate_key_age.

[mariadb]
...

# File Key Management
plugin_load_add = file_key_management
file_key_management_filename = /etc/mysql/encryption/keyfile.enc
file_key_management_filekey = FILE:/etc/mysql/encryption/keyfile.key
file_key_management_encryption_algorithm = AES_CTR

# InnoDB/XtraDB Encryption
innodb_encrypt_tables = ON
innodb_encrypt_log = ON
innodb_encryption_threads = 4
innodb_encryption_rotate_key_age = 1

For more information on system variables for encryption and other features, see the InnoDB system variables page.

Finding Encrypted Tables

When using data-at-rest encryption with the InnoDB or XtraDB storage engines, it is not necessary that you encrypt every table in your database. You can check which tables use encryption and which do not use encryption, using the Information Schema, by querying the INNODB_TABLESPACES_ENCRYPTION table. This table provides information on which tables are using encryption, the encryption keys in use, rotation and status.

SELECT * FROM information_schema.INNODB_TABLESPACES_ENCRYPTION \G
*************************** 1. row ***************************
                       SPACE: 9
                        NAME: test/t3
           ENCRYPTION_SCHEME: 1
          KEYSERVER_REQUESTS: 1
             MIN_KEY_VERSION: 1
         CURRENT_KEY_VERSION: 1
    KEY_ROTATION_PAGE_NUMBER: NULL
KEY_ROTATION_MAX_PAGE_NUMBER: NULL
              CURRENT_KEY_ID: 1
        ROTATING_OR_FLUSHING: 0
...
*************************** 3. row ***************************
                       SPACE: 11
                        NAME: test/t5
           ENCRYPTION_SCHEME: 0
          KEYSERVER_REQUESTS: 0
             MIN_KEY_VERSION: 0
         CURRENT_KEY_VERSION: 1
    KEY_ROTATION_PAGE_NUMBER: NULL
KEY_ROTATION_MAX_PAGE_NUMBER: NULL
              CURRENT_KEY_ID: 1
        ROTATING_OR_FLUSHING: 0
*************************** 4. row ***************************
                       SPACE: 12
                        NAME: test/t6
           ENCRYPTION_SCHEME: 1
          KEYSERVER_REQUESTS: 1
             MIN_KEY_VERSION: 1
         CURRENT_KEY_VERSION: 1
    KEY_ROTATION_PAGE_NUMBER: NULL
KEY_ROTATION_MAX_PAGE_NUMBER: NULL
              CURRENT_KEY_ID: 3
        ROTATING_OR_FLUSHING: 0

See Also

Comments

Comments loading...