There are new options in constants.yml
mysql:
encryption:
enable: yes
encrypt_binlog: yes
key: 1;a356c82422a9031f2e472047ad8220eeea257d611849fbdc9f75b49933f75241
threads: 1NOTE: all changes in the configuration section will cause the MariaDB server to restart when ngcpcfg templates are applied.
mysql.encryption.enable: Switch encryption on/off. Values: yes,no, Default: yes.
When enabled, all tables are being encrypted, it takes from a few seconds to several minutes
for MariaDB to encrypt all the data (depending on the overall size) and the encryption procedure
is performed in the background, while all the data continutes to be fully accessible. Also all
new tables are created encrypted by default and it is not possible to disable encryption for specific
tables as the encryption is forced.
mysql.encryption.encrypt_binlog: Encrypt binlogs. Values: yes,no, Default: yes.
While it is preferred to have this option enabled by default, for scenarios where binlog files
need to be parsed, this option can be turned off. It is also possible to use
mysqlbinlog with --read-from-remote-server option to read encrypted binlogs.
mysql.encryption.key: Encryption key. The value is randomly generated
during the cfg-schema upgrade when the option is added into constants.yml.
The key is located in /etc/mysql/keyfile and normally MUST NOT be changed.
Changing or losing the key permanently will render all the MariaDB
tablespaces data (databases/tables) unusable.
mysql.encryption.threads: Amount of encryption threads. Default: 1
How many MariaDB encryption threads should be running, this value depends on how
many tables are created/removed or the encryption keys are rotated.