Skip to main content

MariaDB

Encryption on MariaDB can be enabled using the existing plugin Hashicorp Key Management Plugin.

This integration stores generated secret in Secrets Engine, encrypted by the provided key.

Supported Key Types/Algorithm combinations:

Key TypeAlgorithm
RSARSA_PADDING_OAEP_WITH_SHA512
RSA
RSA_PADDING_OAEP_WITH_SHA224
RSA_PADDING_OAEP_WITH_SHA256
RSA_PADDING_OAEP_WITH_SHA1
RSA_PADDING_OAEP
RSA_PADDING_OAEP_WITH_SHA384
RSA_NO_PADDING
AESAES_GCM
AES_CTR
AES_ECB
AES_CBC_NO_PADDING
AES
CHACHA20CHACHA20
CHACHA20_AEAD
CAMELLIACAMELLIA
CAMELLIA_CBC_NO_PADDING
CAMELLIA_ECB
TDEATDEA_CBC
TDEA_ECB
TDEA_CBC_NO_PADDING
TDEATDEA_CBC
TDEA_ECB
TDEA_CBC_NO_PADDING
Note
  • The Secrets Engine plugin supports asynchronous decrypt operation using key type RSA with policy with setup ruleUse.
  • Using the key with policy will stop the decrypt operation and wait for approvals to be collected.

The following actions must be performed before setting up encryption on MariaDB:

  1. Create / Register key into Secrets Engine

  2. Generate new secret and encrypt it using stored key

    $ vault write securosys-hsm/integrations/mariadb/{secret-name}     
    keyName={key-name-from-secret-engine}
    cipherAlgorithm={cipher-algorithm}
    [additionalAuthenticationData={additional-authentication-data}]
    [tagLength={tag-length}]
    [password={password-for-a-key}]
    curl --location --request PUT '<server_addr>/v1/securosys-hsm/integrations/mariadb/{secret-name} ' \
    --header 'X-Vault-Token: <vault_access_token>'
    --header 'Content-Type: application/x-www-form-urlencoded' \
    --data-urlencode 'keyName={key-name-from-secret-engine}' \
    --data-urlencode 'cipherAlgorithm={cipher-algorithm}' \
    --data-urlencode 'tagLength={tag-length}' \
    --data-urlencode 'additionalAuthenticationData={additional-authentication-data}' \
    --data-urlencode 'password={password-for-a-key}'
Tip

Every request to this endpoint using same key name and secret name will rotate the secret.

  1. The final step is add the following configuration to my.cfg: 
    [mariadb]
    plugin-load-add=hashicorp_key_management.so
    loose-hashicorp-key-management
    loose-hashicorp-key-management-vault-url="{vault_address}/v1/securosys-hsm/integrations/mariadb/{secret_name}/?key_name={key-name}&cipher_algorithm={cipher_algorithm}&tag_length={tag_length}&aad={additional_authentication_data}&password={password}&version="
    loose-hashicorp-key-management-token="{vault_access_token}"
    loose-hashicorp-key-management-check-kv-version="off"
    #max timeout is 86400 seconds
    loose-hashicorp-key-management-timeout=3000 
    loose-hashicorp-key-management-retries=0
    loose-hashicorp-key-management-use-cache-on-timeout="on"
    loose-hashicorp-key-management-caching-enabled="on"
    #1 year in miliseconds
    loose-hashicorp-key-management-cache-timeout=31556952000 
    #1 year in miliseconds
    loose-hashicorp-key-management-cache-version-timeout=31556952000

    #Example of innodb config
    innodb_encrypt_tables = ON
    innodb_encrypt_temporary_tables = ON
    innodb_encrypt_log = ON
    innodb_encryption_threads = 4
    innodb_encryption_rotate_key_age = 1
Note
  • In loose-hashicorp-key-management-vault-url, the URL must end with &version=.
  • The plugin from MariaDB will automatically add number of secret version to the end of the URL.