17. MariaDB encryption

17.1. Overview

MariaDB encryption support (officially called as "Data-at-Rest") enables innodb files, tables and binlogs data encryption so that if copied over the data is not usable without the master key. All the data accessed or modified by clients is encrypted/decrypted on the fly and transparent for the users. The feature comes with a price of 3% to 5% MariaDB performance loss (depending on the hardware, and CPU in particular).

17.2. Configuration

There are new options in constants.yml

mysql:
  encryption:
        enable: yes
        encrypt_binlog: yes
        key: 1;a356c82422a9031f2e472047ad8220eeea257d611849fbdc9f75b49933f75241
        threads: 4

NOTE: all changes in the configuration section will cause the MariaDB server to restart when ngcpcfg templates are applied.

  • mysql.encryption.enable: Switch encryption on/off. Values: yes,no, Default: yes. When enabled, all tables are being encrypted, it takes from a few seconds to several minutes for MariaDB to encrypt all the data (depending on the overall size) and the encryption procedure is performed in the background, while all the data continutes to be fully accessible. Also all new tables are created encrypted by default and it is not possible to disable encryption for specific tables as the encryption is forced.
  • mysql.encryption.encrypt_binlog: Encrypt binlogs. Values: yes,no, Default: yes. While it is preferred to have this option enabled by default, for scenarios where binlog files need to be parsed, this option can be turned off. It is also possible to use mysqlbinlog with --read-from-remote-server option to read encrypted binlogs.
  • mysql.encryption.key: Encryption key. The value is randomly generated during the cfg-schema upgrade when the option is added into constants.yml. The key is located in /etc/mysql/keyfile and normally MUST NOT be changed. Changing or loosing the key permanently will render all the MariaDB tablesspaces data (databases/tables) unusable.
  • mysql.encryption.threads: Amount of encryption threads. Default: 4 How many MariaDB encryption threads should be running, this value depends on the MariaDB activity and the overall load and can be manually tuned up for better performance.

17.3. What is not encrypted

  • slow-queries log
  • mysqld.err log
  • general queries log, if enabled