Scribd
Upload
174 views2 pages

MariaDB Data at Rest Encryption

MariaDB data at rest encryption involves 5 steps: 1. Configure MariaDB encryption by adding plugin and encryption settings to the config file. 2. Generate an encryption key file using OpenSSL. 3. Encrypt the key file using OpenSSL for security. 4. Restart MariaDB for the encryption to take effect. 5. Query information_schema tables to find which tables are encrypted.

Uploaded by

Alwin Figarafo
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
174 views2 pages

MariaDB Data at Rest Encryption

MariaDB data at rest encryption involves 5 steps: 1. Configure MariaDB encryption by adding plugin and encryption settings to the config file. 2. Generate an encryption key file using OpenSSL. 3. Encrypt the key file using OpenSSL for security. 4. Restart MariaDB for the encryption to take effect. 5. Query information_schema tables to find which tables are encrypted.

Uploaded by

Alwin Figarafo
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 2

MariaDB Data At Rest Encryption

Step 1 – Configuring MariaDB Encryption


Add these lines to an existing MariaDB config file within the “mysqld” section.
plugin_load_add=file_key_management
file_key_management = ON
file_key_management_encryption_algorithm=aes_cbc
file_key_management_filename = D:\Alwin\mariadb\keyring\mariadb_encryption.key
file_key_management_filekey = Assyst@123
innodb_encrypt_tables = ON
innodb_encrypt_log = ON
aria_encrypt_tables = ON
encrypt_tmp_disk_tables = ON
innodb_encryption_threads = 8

Step 2 - Creating The Encryption Key


In order for MariaDB to encrypt our data using a key, you need to install OpenSSL toolkit for
generating a unique key.
After installing OpenSSL toolkit, we can generate a unique key using the following command.
openssl rand -hex 16 > D:\Alwin\mariadb\keyring\mariadb_encryption.txt
The above command will create a file named mariadb_encryption.txt with key in it. We need to
open this file using a file editor to add an identifier to this key.
Prepend the line with “1;” so it looks like the following:
1;1fa9e9ba1ca4efa507d0d7512aab1bfd
Step 3 – Encrypting The Encryption Key
We need to encrypt the key using OpenSSL toolkit installed in our system. For that just execute
the following command.
openssl enc -aes-256-cbc -md sha1 -in D:\Alwin\mariadb\keyring\mariadb_encryption.txt -
out D:\Alwin\mariadb\keyring\mariadb_encryption.key
You will also need to add your password to the line beginning with
file_key_management_filekey in the config file you added in the “Configuring MariaDB
Encryption” section.
Without this key, the data cannot be read.

Step 4 - Restart MariaDB Service


We need to restart MariaDB service after completing MariaDB configuration for encryption.

Note : It is also better to have the key file and encrypted key file to be placed separately in a
removable device, because MariaDB only needs the key when it starts up. Once the service is
running, the key can be removed from the system.

Step 5 – Find The Encrypted Tables


In order to find the tables that are currently encrypted, we need to execute the following
query.
SELECT st.SPACE, st.NAME, te.ENCRYPTION_SCHEME, te.ROTATING_OR_FLUSHING
FROM information_schema.INNODB_TABLESPACES_ENCRYPTION te
JOIN information_schema.INNODB_SYS_TABLES st
ON te.SPACE = st.SPACE

If the column ENCRYPTION_SCHEME returns a value of 1, it means that the table(s) are
encrypted.

You might also like