4.10 Use MySQL TDE for At-Rest Data Encryption

Information

Transparent Data Encryption (TDE) at-rest encryption protects your critical data by enabling data-at-rest encryption in the database. It protects the privacy of your information, prevents data breaches and helps meet regulatory requirements.

Rationale:

File system based encryption does a good job of protecting against data theft on devices unable to limit physical access. It does not, however, protect against users who have or gain access to the operating system, backups, over the network copies, etc. Encrypting data from mysqld adds an additional layer of data protection.

Solution

Edit my.cnf:

# AUDIT LOG
sudo vi /etc/my.cnf
[mysqld]
audit-log=FORCE_PLUS_PERMANENT
audit-log-format=JSON
audit-log-encryption=AES

Execute this command:

# DO NOT USE GENERAL LOG OR SLOW LOGS - USE AUDIT AND PERFORMANCE_SCHEMA.
>SET general_log = 'OFF';

Run ALTER to enable encryption (Note: This will lock the table as table is encrypted).

# TABLES
ALTER TABLE <tablename> ENCRYPTION = 'Y';

Run MySQL Enterprise Backup with encryption.

For example:

$ mysqlbackup --defaults-file=/home/dbadmin/my.cnf --backup-image=/home/admin/backups/my.mbi \
--backup-dir=/home/admin/backup-tmp --encrypt-password backup-to-image

Default Value:

At rest encryption is off by default.

See Also

https://workbench.cisecurity.org/files/3844

Item Details

Category: IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|IA-5(1), 800-53|SC-28, 800-53|SC-28(1), CSCv7|14.8

Plugin: MySQLDB

Control ID: 8659dddf440d41f84373986fed1c40154847f16475ca81224ac55542c659fe17