Skip to main content

MariaDB

Encryption on MariaDB can be enabled using existing plugin Hashicorp Key Management Plugin This integration stores generated secret in Secrets engine, encrypted by provided key. Supported Key Types/Algorithm combinations:

Key TypeAlgorithm
RSARSA_PADDING_OAEP_WITH_SHA512
RSA
RSA_PADDING_OAEP_WITH_SHA224
RSA_PADDING_OAEP_WITH_SHA256
RSA_PADDING_OAEP_WITH_SHA1
RSA_PADDING_OAEP
RSA_PADDING_OAEP_WITH_SHA384
RSA_NO_PADDING
AESAES_GCM
AES_CTR
AES_ECB
AES_CBC_NO_PADDING
AES
CHACHA20CHACHA20
CHACHA20_AEAD
CAMELLIACAMELLIA
CAMELLIA_CBC_NO_PADDING
CAMELLIA_ECB
TDEATDEA_CBC
TDEA_ECB
TDEA_CBC_NO_PADDING
TDEATDEA_CBC
TDEA_ECB
TDEA_CBC_NO_PADDING
Note

Plugin supports asynchronous decrypt operation using key type RSA with policy with setup ruleUse. Using the key with policy will stop the decrypt operation and wait for approvals to be collected.

There are a serval steps that is needed to be done before setup encryption on MariaDB

  1. Create / Register key into Secrets Engine

  2. Generate new secret and encrypt it using stored key

    $ vault write securosys-hsm/integrations/mariadb/{secret-name}     
    keyName={key-name-from-secret-engine}
    cipherAlgorithm={cipher-algorithm}
    [additionalAuthenticationData={additional-authentication-data}]
    [tagLength={tag-length}]
    [password={password-for-a-key}]
    curl --location --request PUT '<server_addr>/v1/securosys-hsm/integrations/mariadb/{secret-name} ' \
    --header 'X-Vault-Token: <vault_access_token>'
    --header 'Content-Type: application/x-www-form-urlencoded' \
    --data-urlencode 'keyName={key-name-from-secret-engine}' \
    --data-urlencode 'cipherAlgorithm={cipher-algorithm}' \
    --data-urlencode 'tagLength={tag-length}' \
    --data-urlencode 'additionalAuthenticationData={additional-authentication-data}' \
    --data-urlencode 'password={password-for-a-key}'
Tip

Every request on this endpoint using same key name and secret name will rotate secret

  1. The last step is add this configuration to my.cfg 
    [mariadb]
    plugin-load-add=hashicorp_key_management.so
    loose-hashicorp-key-management
    loose-hashicorp-key-management-vault-url="{vault_address}/v1/securosys-hsm/integrations/mariadb/{secret_name}/?key_name={key-name}&cipher_algorithm={cipher_algorithm}&tag_length={tag_length}&aad={additional_authentication_data}&password={password}&version="
    loose-hashicorp-key-management-token="{vault_access_token}"
    loose-hashicorp-key-management-check-kv-version="off"
    #max timeout is 86400 seconds
    loose-hashicorp-key-management-timeout=3000 
    loose-hashicorp-key-management-retries=0
    loose-hashicorp-key-management-use-cache-on-timeout="on"
    loose-hashicorp-key-management-caching-enabled="on"
    #1 year in miliseconds
    loose-hashicorp-key-management-cache-timeout=31556952000 
    #1 year in miliseconds
    loose-hashicorp-key-management-cache-version-timeout=31556952000

    #Example of innodb config
    innodb_encrypt_tables = ON
    innodb_encrypt_temporary_tables = ON
    innodb_encrypt_log = ON
    innodb_encryption_threads = 4
    innodb_encryption_rotate_key_age = 1
Note

In loose-hashicorp-key-management-vault-url url need to ends with &version=. Plugin from MariaDB automatically add to end of url number of secret version