4.10 Use MySQL TDE for At-Rest Data Encryption - audit_log_encryption

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Transparent Data Encryption (TDE) at-rest encryption protects your critical data by enabling data-at-rest encryption in the database. It protects the privacy of your information, prevents data breaches and helps meet regulatory requirements.

Rationale:

File system based encryption does a good job of protecting against data theft on devices unable to limit physical access. It does not, however, protect against users who have or gain access to the operating system, backups, over the network copies, etc. Encrypting data from mysqld adds an additional layer of data protection.

Solution

Edit my.cnf:

# AUDIT LOG
sudo vi /etc/my.cnf
[mysqld]
audit-log=FORCE_PLUS_PERMANENT
audit-log-format=JSON
audit-log-encryption=AES

Execute these commands:

#### BINLOG
>set persist binlog_encryption=ON;

##### REDO and UNDO
>set persist innodb_redo_log_encrypt=ON;
>set persist innodb_undo_log_encrypt=ON;

# DO NOT USE GENERAL LOG OR SLOW LOGS - USE AUDIT AND PERFORMANCE_SCHEMA.
>SET PERSIST general_log = 'OFF';

Run ALTER to enable encryption (Note: This will lock the table as table is encrypted).

# TABLESPACES, TABLES
ALTER TABLESPACE <tablespacename> ENCRYPTION = 'Y';
// if innodb file per table (indicated by schemaname/tablename in report)
ALTER TABLE <tablename> ENCRYPTION = 'Y';
#Encrypt the system tablespace
ALTER TABLESPACE mysql ENCRYPTION = 'Y';

Run MySQL Enterprise Backup with encryption.

For example:

$ mysqlbackup --defaults-file=/home/dbadmin/my.cnf --backup-image=/home/admin/backups/my.mbi \
--backup-dir=/home/admin/backup-tmp --encrypt-password backup-to-image

Default Value:

At rest encryption is off by default.

Administrators can force tables or tablespaces to be encrypted for all schemas by default by setting in my.cnf.

default-table-encryption=ON

or Per schema by defining DEFAULT ENCRYPTION:

CREATE {DATABASE | SCHEMA} ...

| DEFAULT ENCRYPTION [=] {'Y' | 'N'}

See Also

https://workbench.cisecurity.org/benchmarks/12903