# Security - [Securing MariaDB](https://mariadb.com/docs/server/security/securing-mariadb.md): Overview of security best practices for MariaDB, covering privilege separation, mandatory access control (SELinux), and vulnerability tracking. - [Running MariaDB as root](https://mariadb.com/docs/server/security/securing-mariadb/running-mariadbd-as-root.md): Understand the implications of running MariaDB Server as root. This section highlights security risks and provides guidance on configuring MariaDB Server to operate with less privileged user accounts. - [MariaDB on SELinux](https://mariadb.com/docs/server/security/securing-mariadb/selinux.md): Secure MariaDB Server with SELinux. This section guides you through configuring SELinux policies to enhance the security posture of your MariaDB deployments on Linux systems. - [Encryption](https://mariadb.com/docs/server/security/encryption.md): Enhance MariaDB Server security with encryption. This section covers data-at-rest and in-transit encryption, helping you protect sensitive information and meet compliance requirements. - [TLS and Cryptography Libraries](https://mariadb.com/docs/server/security/encryption/tls-and-cryptography-libraries-used-by-mariadb.md): Explains how MariaDB links to cryptography libraries (OpenSSL, wolfSSL, GnuTLS, Schannel) either statically or dynamically, and how to verify the active library and version. - [Data-in-Transit Encryption](https://mariadb.com/docs/server/security/encryption/data-in-transit-encryption.md): Secure MariaDB Server data in transit with encryption. This section covers configuring SSL/TLS to protect communication between clients and the database, ensuring confidentiality and integrity. - [Secure Connections Overview](https://mariadb.com/docs/server/security/encryption/data-in-transit-encryption/secure-connections-overview.md): Conceptual overview of data-in-transit encryption in MariaDB, discussing supported TLS libraries (OpenSSL, wolfSSL), protocol versions (tls\_version), and certificate verification. - [Securing Connections for Client and Server](https://mariadb.com/docs/server/security/encryption/data-in-transit-encryption/securing-connections-for-client-and-server.md): Complete MariaDB security guide. Complete resource for user management, access control, SSL/TLS encryption, and audit policies with comprehensive examples. - [Zero-Configuration SSL](https://mariadb.com/docs/server/security/encryption/data-in-transit-encryption/zero-configuration-ssl.md): MariaDB 11.4+ offers Zero-Configuration SSL, enabling automatic, MITM-secure encryption by default using passwords as a shared secret, eliminating the need for manual certificate management. - [Replication with Secure Connections](https://mariadb.com/docs/server/security/encryption/data-in-transit-encryption/replication-with-secure-connections.md): A guide to securing replication traffic between primary and replica servers, covering the use of CHANGE MASTER TO options (e.g., MASTER\_SSL) and mutual authentication. - [Enabling TLS on MariaDB Server](https://mariadb.com/docs/server/security/encryption/data-in-transit-encryption/data-in-transit-encryption-enabling-tls-on-mariadb-server.md): Step-by-step instructions for configuring MariaDB Server to use TLS by setting system variables like ssl\_cert, ssl\_key, and ssl\_ca in the configuration file. - [Certificate Creation with OpenSSL](https://mariadb.com/docs/server/security/encryption/data-in-transit-encryption/certificate-creation-with-openssl.md): Complete OpenSSL TLS certificate guide: generate CA key/cert and server key/CSR, sign X509 with openssl x509 -CA/-CAkey, and verify certificates. - [SSL/TLS System Variables](https://mariadb.com/docs/server/security/encryption/data-in-transit-encryption/ssltls-system-variables.md): Reference list of system variables related to TLS configuration, such as ssl\_cipher, ssl\_crl, and have\_ssl, used to manage and monitor encryption settings. - [Using TLSv1.3](https://mariadb.com/docs/server/security/encryption/data-in-transit-encryption/using-tlsv13.md): Information about TLSv1.3 support in MariaDB (available with OpenSSL 1.1.1+), noting that the ssl\_cipher variable does not affect TLSv1.3 cipher suites. - [Data-at-Rest Encryption](https://mariadb.com/docs/server/security/encryption/data-at-rest-encryption.md): Secure MariaDB Server data at rest with encryption. This section details how to protect your sensitive information stored on disk, ensuring data confidentiality and compliance. - [Data-at-Rest Encryption (TDE) Fundamentals](https://mariadb.com/docs/server/security/encryption/data-at-rest-encryption/data-at-rest-encryption-tde-fundamentals.md) - [Managing Binary Log Encryption](https://mariadb.com/docs/server/security/encryption/data-at-rest-encryption/managing-binary-log-encryption.md) - [Aria Encryption](https://mariadb.com/docs/server/security/encryption/data-at-rest-encryption/aria-encryption.md): Learn about Aria encryption in MariaDB Server for data at rest. This section details how to encrypt Aria tablespaces, providing enhanced security for your stored data. - [Aria: Encryption Overview](https://mariadb.com/docs/server/security/encryption/data-at-rest-encryption/aria-encryption/aria-encryption-overview.md): Introduction to encrypting Aria tables, covering the necessary system variables (aria\_encrypt\_tables, encrypt\_tmp\_disk\_tables) and how to verify encryption status by inspecting data files. - [Aria: Enabling Encryption](https://mariadb.com/docs/server/security/encryption/data-at-rest-encryption/aria-encryption/aria-enabling-encryption.md): Step-by-step guide to enabling encryption for user-created and internal temporary Aria tables, including the requirement to manually rebuild existing tables using ALTER TABLE. - [Aria: Encryption Keys](https://mariadb.com/docs/server/security/encryption/data-at-rest-encryption/aria-encryption/aria-encryption-keys.md): Details how Aria manages encryption keys (using ID 1 for user tables and ID 2 for temporary tables) and notes limitations regarding key rotation and per-table key assignment. - [Aria: Disabling Encryption](https://mariadb.com/docs/server/security/encryption/data-at-rest-encryption/aria-encryption/aria-disabling-encryption.md): Instructions for safely disabling encryption on Aria tables, emphasizing the need to rebuild tables to an unencrypted state before removing key management plugins. - [InnoDB Encryption](https://mariadb.com/docs/server/security/encryption/data-at-rest-encryption/innodb-encryption.md): Learn about InnoDB encryption for data at rest. This section details how to encrypt InnoDB tablespaces, ensuring strong data security and compliance for your mission-critical applications. - [InnoDB: Encryption Overview](https://mariadb.com/docs/server/security/encryption/data-at-rest-encryption/innodb-encryption/innodb-encryption-overview.md): Introduction to InnoDB's encryption architecture, explaining how data is encrypted/decrypted during disk I/O, the role of the buffer pool (where data is unencrypted), and how to verify encryption stat - [InnoDB: Enabling Encryption](https://mariadb.com/docs/server/security/encryption/data-at-rest-encryption/innodb-encryption/innodb-enabling-encryption.md): Step-by-step guide to enabling encryption for InnoDB, covering the configuration of innodb\_encrypt\_tables for automatic encryption and the use of ENCRYPTED=YES table options for per-table encryption. - [InnoDB: Encryption Keys](https://mariadb.com/docs/server/security/encryption/data-at-rest-encryption/innodb-encryption/innodb-encryption-keys.md): How InnoDB manages encryption keys using 32-bit integer IDs, including the default key ID (innodb\_default\_encryption\_key\_id), assigning specific keys to tables, and the process of key rotation. - [InnoDB: Disabling Encryption](https://mariadb.com/docs/server/security/encryption/data-at-rest-encryption/innodb-encryption/disabling-innodb-encryption.md): Instructions for safely disabling encryption on InnoDB tables, emphasizing the critical need to decrypt all tablespaces and redo logs using background threads or ALTER TABLE. - [InnoDB: Background Encryption Threads](https://mariadb.com/docs/server/security/encryption/data-at-rest-encryption/innodb-encryption/innodb-background-encryption-threads.md): Details the operation of background threads (configured via innodb\_encryption\_threads) which handle key rotation, and the encryption/decryption of tablespaces when global settings. - [InnoDB: Encryption Troubleshooting](https://mariadb.com/docs/server/security/encryption/data-at-rest-encryption/innodb-encryption/innodb-encryption-troubleshooting.md): Solutions for common issues such as Error 1005 (Wrong create options) when configuring encryption, and handling cases where encryption key IDs are set for unencrypted tables. - [Key Management and Encryption Plugins](https://mariadb.com/docs/server/security/encryption/data-at-rest-encryption/key-management-and-encryption-plugins.md): Explore key management and encryption plugins for MariaDB Server. This section details how to manage encryption keys and leverage plugins for robust data-at-rest protection. - [Encryption Key Management](https://mariadb.com/docs/server/security/encryption/data-at-rest-encryption/key-management-and-encryption-plugins/encryption-key-management.md): Overview of key management in MariaDB, discussing the need for plugins to manage encryption keys, support for multiple keys (ID 1 for system, ID 2 for temp), and key rotation capabilities. - [File Key Management Encryption Plugin](https://mariadb.com/docs/server/security/encryption/data-at-rest-encryption/key-management-and-encryption-plugins/file-key-management-encryption-plugin.md): Details the File Key Management plugin, which reads encryption keys from a plain-text (or encrypted) file, serving as a simple solution or reference implementation for data-at-rest encryption. - [AWS Key Management Encryption Plugin](https://mariadb.com/docs/server/security/encryption/data-at-rest-encryption/key-management-and-encryption-plugins/aws-key-management-encryption-plugin.md): Introduction to the AWS Key Management plugin, which uses Amazon KMS to generate and store master keys, decrypting them at startup to enable data-at-rest encryption with key rotation support. - [Amazon Web Services (AWS) Key Management Service (KMS) Encryption Plugin Advanced Usage](https://mariadb.com/docs/server/security/encryption/data-at-rest-encryption/key-management-and-encryption-plugins/aws-key-management-encryption-plugin-advanced-usage.md): Step-by-step tutorial for setting up the AWS KMS plugin, covering the creation of a Customer Master Key (CMK) in AWS, configuring IAM roles for EC2, and installing the plugin from source. - [Amazon Web Services (AWS) Key Management Service (KMS) Encryption Plugin Setup Guide](https://mariadb.com/docs/server/security/encryption/data-at-rest-encryption/key-management-and-encryption-plugins/aws-key-management-encryption-plugin-setup-guide.md): Advanced configuration guide for the AWS KMS plugin, detailing how to secure key access using IAM policies, restrict usage by IP address, and implement Multi-Factor Authentication (MFA). - [Hashicorp Key Management Plugin](https://mariadb.com/docs/server/security/encryption/data-at-rest-encryption/key-management-and-encryption-plugins/hashicorp-key-management-plugin.md): Guide to using the HashiCorp Key Management plugin, which integrates MariaDB with HashiCorp Vault for centralized, secure key storage and lifecycle management. - [Uninstall Key Management Plugins](https://mariadb.com/docs/server/security/encryption/data-at-rest-encryption/key-management-and-encryption-plugins/uninstall-key-management-plugins.md): Final step of removing key management plugins from the configuration once all data and logs have been confirmed as unencrypted. - [User Account Management](https://mariadb.com/docs/server/security/user-account-management.md): Master user account management in MariaDB Server. This section covers creating, modifying, and revoking user privileges to ensure secure and controlled access to your databases. - [Roles](https://mariadb.com/docs/server/security/user-account-management/roles.md): Manage roles in MariaDB Server for streamlined user access control. This section explains how to create, assign, and manage roles to simplify privilege management and enhance security. - [Roles Overview](https://mariadb.com/docs/server/security/user-account-management/roles/roles_overview.md): Overview of Role-Based Access Control (RBAC) in MariaDB, which simplifies privilege management by allowing permissions to be grouped into roles and assigned to users. - [System Users, Roles, Privileges](https://mariadb.com/docs/server/security/user-account-management/roles/system-users-roles-and-privileges.md): Details default system users like mariadb.sys and the PUBLIC role, including their creation, purpose, and special management behaviors. - [Account Locking](https://mariadb.com/docs/server/security/user-account-management/account-locking.md): Explains how to lock and unlock user accounts using CREATE USER and ALTER USER statements to prevent login access without deleting the account. - [Authentication](https://mariadb.com/docs/server/security/user-account-management/authentication-from-mariadb-10-4.md): Details the authentication changes introduced in MariaDB 10.4, including multiple authentication plugins per user, the mysql.global\_priv table, and the default unix\_socket authentication for root. - [Incrementing of the access\_denied\_errors Status Variable](https://mariadb.com/docs/server/security/user-account-management/incrementing-of-the-access_denied_errors-status-variable.md): Describes the conditions that trigger the access\_denied\_errors status variable, such as failed logins, invalid privileges, or missing SSL requirements, aiding in security monitoring. - [User Password Expiry](https://mariadb.com/docs/server/security/user-account-management/user-password-expiry.md): Guide to configuring password expiration policies, including setting global lifetimes via default\_password\_lifetime or per-user limits, and handling expired password connections. - [Catalogs](https://mariadb.com/docs/server/security/user-account-management/catalogs.md): Introduction to Catalogs, a multi-tenancy feature for isolating database objects and users, planned for future MariaDB releases. - [Catalogs Overview](https://mariadb.com/docs/server/security/user-account-management/catalogs/catalogs-overview.md) - [Starting with Catalogs](https://mariadb.com/docs/server/security/user-account-management/catalogs/starting-with-catalogs.md): Guide to initializing a MariaDB server with catalog support using \`mariadb-install-db --catalogs\` and adding new catalogs to a running instance. - [Catalog-Specific Functions and Variables](https://mariadb.com/docs/server/security/user-account-management/catalogs/catalog-specific-functions-and-variables.md): Documents the catalog() function, which returns the current catalog name, and the @@catalogs system variable, which indicates if the server is configured for catalogs. - [Catalog Status Variables](https://mariadb.com/docs/server/security/user-account-management/catalogs/catalog-status-variables.md): Covers status variables related to catalog operations and performance, useful for monitoring multi-tenant environments. - [Connecting to a Server Configured for Catalogs](https://mariadb.com/docs/server/security/user-account-management/catalogs/connecting-to-a-server-configured-for-catalogs.md): Explains how to connect to a specific catalog using the --catalog client option or the catalog\_name.database\_name syntax. - [CREATE CATALOG](https://mariadb.com/docs/server/security/user-account-management/catalogs/create-catalog.md): Define external catalogs for data integration. This statement configures connections to remote storage systems, allowing query access to external data sources. - [SHOW CREATE CATALOG](https://mariadb.com/docs/server/security/user-account-management/catalogs/show-create-catalog.md): Reference for the SHOW CREATE CATALOG statement, which displays the SQL statement used to create a specific catalog. - [SHOW CATALOGS](https://mariadb.com/docs/server/security/user-account-management/catalogs/show-catalogs.md): Reference for the SHOW CATALOGS statement, which lists all available catalogs on the server. - [USE CATALOG](https://mariadb.com/docs/server/security/user-account-management/catalogs/use-catalog.md): Reference for the USE CATALOG statement, allowing a user to switch their current session's context to a different catalog. - [DROP CATALOG](https://mariadb.com/docs/server/security/user-account-management/catalogs/drop-catalog.md): Reference for the DROP CATALOG statement, used to remove a catalog and all its associated databases and users. - [Authentication with Enterprise Server](https://mariadb.com/docs/server/security/authentication-with-enterprise-server.md): Learn about authentication with MariaDB Enterprise Server. This section covers advanced authentication methods & plugins to enhance security and integrate with enterprise identity management systems. - [Authentication for MariaDB Enterprise Server](https://mariadb.com/docs/server/security/authentication-with-enterprise-server/authentication-for-mariadb-enterprise-server.md): Overview of user account authentication using plugins like pam or unix\_socket and managing security with password validation plugins. - [Authentication with gssapi](https://mariadb.com/docs/server/security/authentication-with-enterprise-server/authentication-with-gssapi.md): Instructions for installing and configuring the gssapi plugin to validate user credentials against services like Kerberos or NTLM. - [Limiting Size of Created Disk Temporary Files and Tables](https://mariadb.com/docs/server/security/limiting-size-of-created-disk-temporary-files-and-tables.md): The ability to limit the size of created disk temporary files and tables was introduced in MariaDB 11.5. - [Limiting Size of Created Disk Temporary Files and Tables Overview](https://mariadb.com/docs/server/security/limiting-size-of-created-disk-temporary-files-and-tables/limiting-size-of-created-disk-temporary-files-and-tables-overview.md): Overview of the feature introduced in MariaDB 11.5 to limit disk space used by temporary files and internal on-disk temporary tables to prevent disk exhaustion. - [max\_tmp\_session\_space\_usage System Variable](https://mariadb.com/docs/server/security/limiting-size-of-created-disk-temporary-files-and-tables/max_tmp_session_space_usage-system-variable.md): Documentation for the system variable that restricts the maximum total size of temporary files and tables allowed for an individual user session. - [max\_tmp\_total\_space\_usage System Variable](https://mariadb.com/docs/server/security/limiting-size-of-created-disk-temporary-files-and-tables/max_tmp_total_space_usage-system-variable.md): Reference for the global system variable that defines the maximum cumulative disk space all user connections can consume for temporary files and tables. - [Security Vulnerabilities (CVE) Fixed in MariaDB](https://mariadb.com/docs/server/security/cve.md): Lists of Security Vulnerabilities (CVE) fixed in MariaDB products. - [Security Vulnerabilities (CVE) Fixed in MariaDB Enterprise Server](https://mariadb.com/docs/server/security/cve/enterprise-server.md): This page contains a full list of CVE fixed in all versions and series of MariaDB Enterprise Server. - [Security Vulnerabilities (CVE) Fixed in MariaDB Community Server](https://mariadb.com/docs/server/security/cve/community-server.md): Full list of CVE fixed in all versions and series of MariaDB Community Server. - [Security Vulnerabilities (CVE) Fixed in Oracle MySQL That Did Not Exist in MariaDB](https://mariadb.com/docs/server/security/cve/security-vulnerabilities-in-oracle-mysql-that-did-not-exist-in-mariadb.md): Reference list of security vulnerabilities (CVEs) found in Oracle MySQL that do not affect MariaDB, helping administrators distinguish relevant threats. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://mariadb.com/docs/server/security.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.