4.9 Enable data-at-rest encryption in MariaDB

Information

Data-at-rest encryption protects the privacy of your information, prevents data breaches and helps meet regulatory requirements.

Rationale:

File system based encryption does a good job of protecting against data theft on devices unable to limit physical access. It does not, however, protect against users who have or gain access to the operating system, backups, over the network copies, etc. Encrypting data from MariaDB adds an additional layer of data protection.

Solution

MariaDB's data-at-rest encryption requires the use of a key management and encryption plugin.
Create the key file:

$ sudo mkdir -p /etc/mysql/encryption && (echo -n '1;' ; openssl rand -hex 32 ) | sudo tee -a /etc/mysql/encryption/keyfile

Generate a random encryption password:

$ sudo openssl rand -hex 128 | sudo tee -a /etc/mysql/encryption/keyfile.key

Encrypt the key file:

$ sudo openssl enc -aes-256-cbc -md sha1 \
-pass file:/etc/mysql/encryption/keyfile.key \
-in /etc/mysql/encryption/keyfile \
-out /etc/mysql/encryption/keyfile.enc

Delete the unencrypted key file:

$ sudo rm /etc/mysql/encryption/keyfile

Set permissions and ownership on the keyfile and key:

$ sudo chown mysql:mysql -R /etc/mysql/encryption
$ sudo chmod 640 /etc/mysql/encryption/keyfile*

Edit mariadb.cnf to resemble the following block, optionally uncommenting file_key_management_encryption_algorithm = AES_CTR:

[mariadb]
...
plugin_load_add = file_key_management
file_key_management_filename = /etc/mysql/encryption/keyfile.enc
file_key_management_filekey = FILE:/etc/mysql/encryption/keyfile.key

# Binary Log Encryption
encrypt_binlog = ON
# Redo Log Encryption
innodb_encrypt_log = ON
# Encrypting Temporary Files
encrypt_tmp_files = ON
# Encrypt Temporary Tables
innodb_encrypt_temporary_tables = ON

# You can configure InnoDB encryption to automatically have all new InnoDB tables automatically encrypted, or specify encrypt per table.
innodb_encrypt_tables = ON

# Uncomment the line below if utilizing MariaDB built with OpenSSL
# file_key_management_encryption_algorithm = AES_CTR

If needed, see References for information about file_key_management_encryption_algorithm and OpenSSL usage.
Restart MariaDB:

$ sudo systemctl restart mariadb.service

Run ALTER to enable encryption (Note: This will lock the table as table is encrypted).

ALTER TABLE tab1
ENCRYPTED=YES ENCRYPTION_KEY_ID=1;

Revisit recommendation 3.10 after completing remediation.

Default Value:

At rest encryption is off by default.

When innodb_encrypt_tables is set to ON, InnoDB tables are automatically encrypted by default.

mariadb.cnf.

innodb_encrypt_tables=ON

See Also

https://workbench.cisecurity.org/benchmarks/16527

Item Details

Category: IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|IA-5(1), 800-53|SC-28, 800-53|SC-28(1), CSCv7|14.8

Plugin: MySQLDB

Control ID: b5370d74a09c245339df369ada640fa4be21aaa8b30da5b4e2d608e6b5c8b35a