Advanced setup
In this section, you will learn more about the fine-grained options that MariaDB provides to configure data encryption.
Decide what to encrypt and which data keys to use
The example configuration in the previous step showed how to enable encryption in MariaDB to the broadest possible extent. In particular, it enables encryption for all database tables.
MariaDB also offers more fine-grained control over what is encrypted and how. See the MariaDB documentation for how to:
- Selectively turn encryption on for individual tables.
- Set different encryption keys for different tables.
Assign an
ENCRYPTION_KEY_IDto a table to encrypt the table with that key. - [Unsupported] Rotate encryption keys. For a fixed key id, MariaDB can rotate the key to a new version. This will cause InnoDB to re-encrypt its internal keys that were encrypted with an older version of this data key. Key rotation is currently not supported by the Securosys plugin, but mentioned here for completeness.
Disabling encryption
If you want to disable encryption again, use the following steps:
- Disable encryption in the
encryption.cnfby setting the relevant options toOFF. - Restart MariaDB.
- Execute
SET GLOBAL innodb_encrypt_tables = OFF;- In our testing, this was needed to trigger the decryption, even if it is already off in the
.cnffile.
- In our testing, this was needed to trigger the decryption, even if it is already off in the
- Wait for MariaDB to decrypt all tables. To see the progress, execute:
SELECT COUNT(*) AS "Number of Encrypted Tablespaces" FROM information_schema.INNODB_TABLESPACES_ENCRYPTION WHERE ENCRYPTION_SCHEME != 0 OR ROTATING_OR_FLUSHING != 0; - Remove the
securosys.cnf. - Restart MariaDB.
- Verify that MariaDB is working as expected, and your now-decrypted data is accessible.
- Optionally (and only if you are sure!), remove the keys that the plugin created from your HSM.
These steps ensure that your data is decrypted while MariaDB still has access to the keys. If you remove the keys first, MariaDB will no longer be able to decrypt your data.
For more details, see the MariaDB documentation.