Scribd
Upload
107 views9 pages

Data at Rest & Data-in-Transit On Mariadb Galera Cluster - 24022022

1) The document describes how to enable encryption for data at rest and in transit on a MariaDB Galera cluster. 2) It involves creating encrypted key files, SSL certificates and configuring the MariaDB configuration files on each node to enable encryption. 3) Once configured, the cluster can be bootstrapped on the first node and the other nodes will automatically join the encrypted cluster.

Uploaded by

Nachu Susee
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
107 views9 pages

Data at Rest & Data-in-Transit On Mariadb Galera Cluster - 24022022

1) The document describes how to enable encryption for data at rest and in transit on a MariaDB Galera cluster. 2) It involves creating encrypted key files, SSL certificates and configuring the MariaDB configuration files on each node to enable encryption. 3) Once configured, the cluster can be bootstrapped on the first node and the other nodes will automatically join the encrypted cluster.

Uploaded by

Nachu Susee
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 9

Data Encryption – Data at Rest & Data-in-Transit

on Mariadb Galera Cluster

Refer Setting up of Galera cluster environment for MariaDB 10.6.5 to setup a working cluster. Enabling
encryption for the cluster can be done before bootstrapping the cluster as well.

VX Rails VM servers used for configuring the Galera cluster:

o galeraclusternode1VM - 172.30.82.8 – (Node 1 - Bootstrap node)

o galeraclusternode2VM - 172.30.82.6 – (Node 2)

o galeraclusternode3VM - 172.30.82.7 – (Node 2)

Step 1: Bringing the Cluster Down


(Note: Take backup and get permission before bringing down the cluster)

1) Using systemctl stop mariadb, stop each of the nodes in Galera cluster in the descending order of
the node.

2) Once DB server is stopped in all the 3 nodes, the cluster is effectively down.

Step 2: Creating encrypted key file for Data-at-Rest encryption in all the 3 nodes
3) Follow the Data-at-Rest encryption documentation and create encrypted key file. Path:
/etc/mariadb/encryption/

4) Change the owner and group to mysql for the key files and directory.

5) Copy the key files to the other 2 nodes under the same path and repeat the above step to change the
ownership

.
Step 3: Creating SSL certificates & key files for server and client in all 3 nodes
3) Now follow the Data – in – Transit encryption documentation to create CA certificate, server and
client certificates and key files in bootstrap node (node 1). Path: /etc/mariadb/transit/

4) Names used for common name filed while creating SSL

Galera admin

Galera server

Galera client

5) Change the owner and group of the directory and the certificates & key files present in it.

6) Copy the transit directory to other 2 nodes as well & repeat changing the owner and group in other
nodes as well. Path: /etc/mariadb/transit/

7) Now we have all the files ready for enabling encryption.

Step 4: Configuring the settings in MariaDB configuration file


8) Copy the following configuration in each of the nodes respectively.

Configuration for Node 1:

[mariadb]

…..

#################### DATABASE ENCRYPTION ####################

#File Key Management Plugin

plugin_load_add = file_key_management

file_key_management_filename = /etc/mariadb/encryption/keyfile.enc
file_key_management_filekey = FILE:/etc/mariadb/encryption/keyfile.key

file_key_management_encryption_algorithm = AES_CTR

# InnoDB Encryption Setup

innodb_encrypt_tables = ON

innodb_encrypt_log = ON

innodb_encrypt_temporary_tables = ON

innodb_encryption_threads = 4

innodb_encryption_rotation_iops = 2000

# Temp & Log Encryption

encrypt_tmp_disk_tables = ON

encrypt_tmp_files = ON

encrypt_binlog = ON

aria_encrypt_tables = ON

# Binary Log settings

master_verify_checksum = ON

log_slave_updates = ON

log_bin= gnode1

binlog_checksum = CRC32

## Securing the Database with ssl option and certificates – Server Configuration ##

## There is no control over the protocol level used. ##

## mariadb will use TLSv1.2 or TLSv1.3. ##

ssl_ca=/etc/mariadb/transit/ca-cert.pem

ssl_cert=/etc/mariadb/transit/server-cert.pem

ssl_key=/etc/mariadb/transit/server-key.pem

require_secure_transport=ON
## TLS version setup – Usage Depends of version of MariaDB server ##

tls_version = TLSv1.2,TLSv1.3

[client-mariadb]

## Securing the Database with ssl option and certificates – Client Configuration ##

ssl_ca =/etc/mariadb/transit/ca-cert.pem

ssl_cert=/etc/mariadb/transit/client-cert.pem

ssl_key=/etc/mariadb/transit/client-key.pem

## TLS version setup – Usage Depends of version of MariaDB server ##

tls_version = TLSv1.2,TLSv1.3

[galera]

……

# Enable replication traffic encryption

wsrep_provider_options = "socket.ssl_key=/etc/mariadb/transit/server-key.pem;socket.ssl_cert=/
etc/mariadb/transit/server-cert.pem;socket.ssl_ca=/etc/mariadb/transit/ca-cert.pem"

Configuration for Node 2:

[mariadb]

…..

#################### DATABASE ENCRYPTION ####################

#File Key Management Plugin

plugin_load_add = file_key_management

file_key_management_filename = /etc/mariadb/encryption/keyfile.enc

file_key_management_filekey = FILE:/etc/mariadb/encryption/keyfile.key

file_key_management_encryption_algorithm = AES_CTR

# InnoDB Encryption Setup

innodb_encrypt_tables = ON
innodb_encrypt_log = ON

innodb_encrypt_temporary_tables = ON

innodb_encryption_threads = 4

innodb_encryption_rotation_iops = 2000

# Temp & Log Encryption

encrypt_tmp_disk_tables = ON

encrypt_tmp_files = ON

encrypt_binlog = ON

aria_encrypt_tables = ON

# Binary Log settings

master_verify_checksum = ON

log_slave_updates = ON

log_bin= gnode2

binlog_checksum = CRC32

## Securing the Database with ssl option and certificates – Server Configuration ##

## There is no control over the protocol level used. ##

## mariadb will use TLSv1.2 or TLSv1.3. ##

ssl_ca=/etc/mariadb/transit/ca-cert.pem

ssl_cert=/etc/mariadb/transit/server-cert.pem

ssl_key=/etc/mariadb/transit/server-key.pem

require_secure_transport=ON

## TLS version setup – Usage Depends of version of MariaDB server ##

tls_version = TLSv1.2,TLSv1.3

[client-mariadb]

## Securing the Database with ssl option and certificates – Client Configuration ##
ssl_ca =/etc/mariadb/transit/ca-cert.pem

ssl_cert=/etc/mariadb/transit/client-cert.pem

ssl_key=/etc/mariadb/transit/client-key.pem

## TLS version setup – Usage Depends of version of MariaDB server ##

tls_version = TLSv1.2,TLSv1.3

[galera]

……

# Enable replication traffic encryption

wsrep_provider_options = "socket.ssl_key=/etc/mariadb/transit/server-key.pem;socket.ssl_cert=/
etc/mariadb/transit/server-cert.pem;socket.ssl_ca=/etc/mariadb/transit/ca-cert.pem"

Configuration for Node 3:

[mariadb]

…..

#################### DATABASE ENCRYPTION ####################

#File Key Management Plugin

plugin_load_add = file_key_management

file_key_management_filename = /etc/mariadb/encryption/keyfile.enc

file_key_management_filekey = FILE:/etc/mariadb/encryption/keyfile.key

file_key_management_encryption_algorithm = AES_CTR

# InnoDB Encryption Setup

innodb_encrypt_tables = ON

innodb_encrypt_log = ON

innodb_encrypt_temporary_tables = ON

innodb_encryption_threads = 4

innodb_encryption_rotation_iops = 2000
# Temp & Log Encryption

encrypt_tmp_disk_tables = ON

encrypt_tmp_files = ON

encrypt_binlog = ON

aria_encrypt_tables = ON

# Binary Log settings

master_verify_checksum = ON

log_slave_updates = ON

log_bin= gnode3

binlog_checksum = CRC32

## Securing the Database with ssl option and certificates – Server Configuration ##

## There is no control over the protocol level used. ##

## mariadb will use TLSv1.2 or TLSv1.3. ##

ssl_ca=/etc/mariadb/transit/ca-cert.pem

ssl_cert=/etc/mariadb/transit/server-cert.pem

ssl_key=/etc/mariadb/transit/server-key.pem

require_secure_transport=ON

## TLS version setup – Usage Depends of version of MariaDB server ##

tls_version = TLSv1.2,TLSv1.3

[client-mariadb]

## Securing the Database with ssl option and certificates – Client Configuration ##

ssl_ca =/etc/mariadb/transit/ca-cert.pem

ssl_cert=/etc/mariadb/transit/client-cert.pem

ssl_key=/etc/mariadb/transit/client-key.pem

## TLS version setup – Usage Depends of version of MariaDB server ##

tls_version = TLSv1.2,TLSv1.3
[galera]

……

# Enable replication traffic encryption

wsrep_provider_options = "socket.ssl_key=/etc/mariadb/transit/server-key.pem;socket.ssl_cert=/
etc/mariadb/transit/server-cert.pem;socket.ssl_ca=/etc/mariadb/transit/ca-cert.pem"

Step 5: Bootstrap the cluster from Node1 and add the other nodes.
If a new Galera cluster is configured, start the cluster from node1 using the following command.
galera_new_cluster

Check the status of the cluster from MariaDB using the following query.

SHOW STATUS LIKE 'wsrep_cluster_size';

Check the Mariadb error log if there are any errors reported while bootstrapping the node.

If the cluster is brought down, check the status of the cluster using the following command.

vi /var/lib/mysql/grastate.dat

Check the status of safe_to_bootstrap. If safe_to_bootstrap=0, set safe_to_bootstrap=1, then start the
cluster with galera_new_cluster command.

Once the cluster is stable, start the Mariadb server in other 2 nodes using,

systemctl start mariadb

Once the DB server is started, the server will automatically join the cluster. Verify the cluster size with
the above-mentioned query.
Verify the encryption status of the DB server using the commands mentioned in the respective
documents.

References:
1) Setting up of Galera cluster environment for MariaDB 10.6.5.
2) Data Encryption - Data-at-Rest on Mariadb documentation - For creating encrypted key file and
enabling data-at-rest encryption for DB server.
3) Data Encryption - Data-in-Transit on Mariadb server documentation - For creating CA certificate,
server and client key files and certificates.
4) https://blog.yasithab.com/centos/mariadb-galera-cluster-with-data-at-rest-and-data-in-transit-
encryption-on-centos-7/

You might also like