MariaDB starting with 10.1.13

This plugin was first available (in the source only) from MariaDB 10.1.13.

The AWS Key Management plugin uses the Amazon Web Services (AWS) Key Management Service (KMS) for encryption at rest.

The plugin uses AWS Key management service to generate and store AES keys on disk, in encrypted form. The plugin will decrypt them in memory, using the AWS KMS "Decrypt" API function, and MariaDB data will then be decrypted using AES and plaintext key.

The AWS KMS plugin is included in MariaDB Enterprise packages, on OSs where it can be built, starting with MariaDB Enterprise 10.1.13, and on MSI, ZIP, RPM and tar.gz distributions starting from MariaDB 10.2.5. For more information, consult the Amazon Web Services (AWS) Key Management Service (KMS) Encryption Plugin Setup Guide.

Versions

VersionStatusIntroduced
1.0BetaMariaDB 10.1.18
1.0ExperimentalMariaDB 10.1.13

Preparation

  • Before you use the plugin, you need to create a master key (CMK) for the IAM AWS user. You can create a key using the AWS console as described in the AMS KMS developer guide
  • Make sure that mysql runs under the correct AWS identity that has access to the above key. For example, you can store the AWS credentials in a AWS credentials file for the user who runs mysqld . More information about the credentials file can be found here

Building from source.

The plugin is disabled by default in MariaDB 10.1.

To compile it yourself, pass -DPLUGIN_AWS_KEY_MANAGEMENT=DYNAMIC to the CMake arguments.

The plugin uses AWS C++ SDK, which induces the following restrictions:

  • The plugin can only be built on Windows, Linux or OSX.
  • The plugin requires that one of the following compilers is used: gcc 4.8 or later, clang 3.3 or later, Visual Studio 2013 or later.
  • On Unix, the libcurl development package and openssl need to be installed.

Using the plugin

  • add the following lines to my.ini/my.cnf
plugin-load-add=aws_key_management  # if plugin is built dynamically
aws_key_management_master_key_id=9f5376b2-dc45-4462-9b5e-e03ca369b0f9 #use your own key id here
  • start mysqld
  • create table, with encryption
CREATE TABLE t (i int) engine Innodb encrypted=YES

Now, table t will be encrypted using the data key generated by AWS.

Multiple keys IDs are supported, i.e ENCRYPTION_KEY_ID=<number> can be passed to the CREATE TABLE command.

Plugin variables

aws_key_management_master_key_id

  • Description: AWS KMS Customer Master Key ID (ARN or alias prefixed by alias/) for the master encryption key. Used to create new data keys. If not set, no new data keys will be created.

aws_key_management_rotate_key

  • Description: Set this variable to a data key ID to perform rotation of the key to the master key given in aws_key_management_master_key_id. Specify -1 to rotate all keys.

aws_key_management_region

  • Description: AWS region name, e.g us-east-1 . Default is SDK default, which is us-east-1

aws_key_management_key_spec

  • Description: Encryption algorithm used to create new keys
  • Default Value: AES_128
  • Valid Values: AES_128, AES_256

aws_key_management_log_level

  • Description: Dump log of the AWS SDK to MariaDB error log. Permitted values, in increasing verbosity, are "Off" (default), "Fatal", "Error", "Warn", "Info", "Debug", and "Trace".
  • Default Value: Off
  • Valid Values: Off, Fatal, Warn, Info, Debug and Trace

Comments

Comments loading...
Loading