Configure MariaDB
In this section, you will create the config files to 1) tell MariaDB to use encryption, and 2) to tell the Securosys plugin how it can reach the HSM and which keys it should use.
Configure InnoDB encryption
First, you need to enable encryption in MariaDB and the InnoDB storage engine.
Place the following config file into /etc/mysql/mariadb.conf.d/encryption.cnf.
[mariadb]
# General
encrypt_tmp_files = ON
# InnoDB-specific
innodb_encrypt_log = ON
innodb_encrypt_tables = ON
innodb_encrypt_temporary_tables = ON
innodb_encryption_rotate_key_age = 1
innodb_encryption_threads = 4
# When using HA
encrypt_binlog = ON
This example enables all possible options and sets them to recommended values.
For a detailed explanation of these options, see the MariaDB
general,
InnoDB,
and HA
documentation.
Optionally, you can change the
innodb_default_encryption_key_id
(but the default value of 1 is fine).
Make sure that the permissions are set correctly and are locked down:
CONF=/etc/mysql/mariadb.conf.d/encryption.cnf
sudo chown root ${CONF}
sudo chmod 0644 ${CONF}
Configure the Securosys plugin
Next, configure the Securosys encryption plugin.
Place the following config file into /etc/mysql/mariadb.conf.d/securosys.cnf
and fill out its values according to your specific setup.
[mariadb]
# Tell MariaDB to load the plugin, identified by the .so name.
plugin_load_add=securosys_key_management
# Base URL of your REST API instance
securosys_key_management_rest_url="https://sbx-rest-api.cloudshsm.com"
# JWT token to authenticate against the REST API
securosys_key_management_token="<JWT token>"
# When using mTLS to access the REST API:
# Path to the p12 file with the client certificate and private key.
securosys_key_management_tls_client_cert=""
# Various key labels
securosys_key_management_root_key_label="mariadb_dbname_root_key"
securosys_key_management_wrapper_key_label="mariadb_dbname_wrapper_key"
securosys_key_management_data_key_label_prefix = "mariadb_dbname_data_key_"
Make sure that the permissions are set correctly and are locked down:
CONF=/etc/mysql/mariadb.conf.d/securosys.cnf
sudo chown root ${CONF}
sudo chmod 0644 ${CONF}
Restart MariaDB
Now that everything is configured, restart MariaDB and check that the plugin is loaded successfully.
sudo service mariadb restart
Check its status:
sudo service mariadb status
Check that the plugin was loaded:
sudo -u mysql mariadb --execute "SHOW PLUGINS SONAME LIKE '%key%'"
+--------------------------+---------------+------------+-----------------------------+---------+
| Name | Status | Type | Library | License |
+--------------------------+---------------+------------+-----------------------------+---------+
| securosys_key_management | ACTIVE | ENCRYPTION | securosys_key_management.so | GPL |
| file_key_management | NOT INSTALLED | ENCRYPTION | file_key_management.so | GPL |
+--------------------------+---------------+------------+-----------------------------+---------+
Troubleshooting
If the plugin is not listed or MariaDB fails to start, inspect the logs to see what the problem might be:
journalctl -u mariadb
Conclusion
Congratulations, you have finished the basic setup of the Securosys encryption plugin for MariaDB! Your entire database should now be encrypted with symmetric keys backed by an HSM.