2.2.1 Ensure Binary and Relay Logs are Encrypted

Information

The binlog_encryption system variable may be used to configure encryption of the binary and relay logs. This may be configured to ON even if binary logging is not enabled in order to encrypt relay log files.

Rationale:

The database, and thus the binary and relay logs, may contain sensitive information. Encrypting the binary and relay logs protects all data stored in these logs from internal and external threats.

Solution

To remediate misconfiguration, run this command:

SET GLOBAL binlog_encryption=ON;

If you receive the error message below, you need to install keyring. For instructions see Section 6.4.4, 'The MySQL Keyring' in the MySQL documentation.

ERROR 3794 (HY000): Unable to recover binlog encryption master key, please check if keyring plugin is loaded.

Default Value:

The default for binlog_encryption is OFF.

See Also

https://workbench.cisecurity.org/benchmarks/10139

Item Details

Category: IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|IA-5(1), 800-53|SC-28, 800-53|SC-28(1), CSCv7|14.8

Plugin: MySQLDB

Control ID: 8e82a41a8aa1f796fccf3f936d1f2cab4f1eaa0f81db63516e15ca79555e93a4