MariaDB Security and Encryption at London MySQL Meetup Group

In Dececolin-1.jpgmber 2015, MariaDB Evangelist Colin Charles was asked to present on MariaDB Security and Encryption at the London MySQL Meetup group. This blog is a summary of Colin’s presentation.

A few words about meetup groups

In December 2015, the London MySQL Meetup Group meeting took place at an amazing location: the Yoox Net-a-Porter Group offices at Westfield London Shopping Centre. A brilliant location and fantastic host: Yoox-Net-a-Porter not only sponsored the venue, but also offered great food and drinks (special thanks to them!).

The goal of the London MySQL Meetup Group is to keep up with the MySQL ecosystem awareness and it’s great to see rooms full of old and new faces every new meeting. Some of the group members work for the three major distribution companies, some are DBAs, some are developers, but the aim is to learn and to learn from each other’s experiences and this is really the amazing spirit of the group.

The meetings are normally scheduled every two months and at the end of every meeting the organiser requests the audience to suggests topics for the next upcoming Meetups. It’s then on Ivan Zoratti, the group organiser, to work on these suggestions and ensure that the group can have the right speakers presenting and covering the requested topics.

Volunteers are absolutely welcome and anybody who wants to share any kind of MySQL/MariaDB/Percona experience or report results of specific tests or benchmarks can apply and present.

In May 2015, the Meetup main topic was focused on the last Percona Live event in Santa Clara. The purpose of the meeting was to share with the community all the news, announcements and also some details of the upcoming releases of MySQL, Percona and MariaDB that have been presented in the Percona Live sessions.

Special guest for the evening was Colin Charles, Chief Evangelist at MariaDB Corporation who talked about MariaDB 10.1 features in deep. The audience showed great interest in the new features of MariaDB 10.1 and at the end of the meeting many participants requested to have a future Meetup focused on security and encryption in MariaDB 10.1. That’s why Colin was asked to return as a special guest to cover what MariaDB has developed in terms of security to back up enterprises to accomplish the security requirements.

Colin’s presentation on MariaDB 10.1 security and encryption

As requested, this time Colin started the presentation introducing MariaDB 10.1 encryption and how the MariaDB approach on database encryption was since the beginning focused on tablespace and table level encryption more than encrypting the whole database.

In MariaDB 10.1 GA tablespace encryption encrypts everything including the binary logs, temporary tables and the binlog caches (10.1.5).

Colin also explained the MariaDB engagement in providing the best possible encryption solution for the MariaDB users: several months were needed to ensure that the MariaDB encryption solution was properly tested and absolutely reliable, even if this causes some months delay in releasing MariaDB 10.1.

He enriched the presentation with practical examples and technical hints – see the slides here on slideshare.

Colin also introduced the key management plugin which is an encryption plugin that reads encryption keys from a file and key rotation solution that MariaDB has implemented. Another interesting topic which was discussed was related to encryption and compression (FusionIO or InnoDB compression for instance) that MariaDB does to compress first and then encrypt.

Encryption does not come out of the box, encryption has to be enabled in the configuration file. Unfortunately, at the moment some bits and pieces are still missing: encryption only works with InnoDB, XtraDB and Aria storage engines. Also, Galera encryption is not fully supported yet, and Xtrabackup, at the moment, does not read encrypted binary logs.

Colin highlighted especially the security plugins such as the password validation plugin, the audit plugin and the authentication plugin. Next MariaDB release will probably also include the Kerberos authentication plugin which is actually already completed and under testing.

Questions came up regarding how to switch on and off encryption, our Java connector and the interaction with the authentication plugins (MariaDB Java connector support both PAM and Kerberos plugin).

Next meetup will take place at The Lamb, one of the “traditional” places for these Meetups on the 17th of February, all the details can be found here.

References

https://mariadb.com/kb/en/mariadb/data-at-rest-encryption/ https://mariadb.com/kb/en/mariadb/password-validation/