Information
Data-at-rest encryption protects the privacy of your information, prevents data breaches and helps meet regulatory requirements.
Rationale:
File system based encryption does a good job of protecting against data theft on devices unable to limit physical access. It does not, however, protect against users who have or gain access to the operating system, backups, over the network copies, etc. Encrypting data from MariaDB adds an additional layer of data protection.
Solution
MariaDB's data-at-rest encryption requires the use of a key management and encryption plugin.
Create the key file:
$ sudo mkdir -p /etc/mysql/encryption && (echo -n '1;' ; openssl rand -hex 32 ) | sudo tee -a /etc/mysql/encryption/keyfile
Generate a random encryption password:
$ sudo openssl rand -hex 128 | sudo tee -a /etc/mysql/encryption/keyfile.key
Encrypt the key file:
$ sudo openssl enc -aes-256-cbc -md sha1
-pass file:/etc/mysql/encryption/keyfile.key
-in /etc/mysql/encryption/keyfile
-out /etc/mysql/encryption/keyfile.enc
Delete the unencrypted key file:
$ sudo rm /etc/mysql/encryption/keyfile
Set permissions and ownership on the keyfile and key:
$ sudo chown mysql:mysql -R /etc/mysql/encryption
$ sudo chmod 640 /etc/mysql/encryption/keyfile*
Edit mariadb.cnf to resemble the following block, optionally uncommenting file_key_management_encryption_algorithm = AES_CTR:
[mariadb]
...
plugin_load_add = file_key_management
file_key_management_filename = /etc/mysql/encryption/keyfile.enc
file_key_management_filekey = FILE:/etc/mysql/encryption/keyfile.key
# Binary Log Encryption
encrypt_binlog = ON
# Redo Log Encryption
innodb_encrypt_log = ON
# Encrypting Temporary Files
encrypt_tmp_files = ON
# Encrypt Temporary Tables
innodb_encrypt_temporary_tables = ON
# You can configure InnoDB encryption to automatically have all new InnoDB tables automatically encrypted, or specify encrypt per table.
innodb_encrypt_tables = ON
# Uncomment the line below if utilizing MariaDB built with OpenSSL
# file_key_management_encryption_algorithm = AES_CTR
If needed, see References for information about file_key_management_encryption_algorithm and OpenSSL usage.
Restart MariaDB:
$ sudo systemctl restart mariadb.service
Run ALTER to enable encryption (Note: This will lock the table as table is encrypted).
ALTER TABLE tab1
ENCRYPTED=YES ENCRYPTION_KEY_ID=1;
Revisit recommendation 3.10 after completing remediation.
Default Value:
At rest encryption is off by default.
When innodb_encrypt_tables is set to ON, InnoDB tables are automatically encrypted by default.
mariadb.cnf.
innodb_encrypt_tables=ON