MariaDB encryption
MariaDB is an open-source relational database management system. It is a fork of MySQL. By default, MariaDB stores its data unencrypted on disk. This data includes database tables as well as log files.
MariaDB has support for encryption-at-rest. This allows users of MariaDB to encrypt their data before it is written to disk. Using the MariaDB plugin system, key management plugins can provide MariaDB with the encryption keys needed to encrypt and decrypt data on the fly. This ensures that data is only visible in memory, and is written to disk only in encrypted form.
The Securosys encryption plugin for MariaDB is such a plugin. Through this plugin, MariaDB can use encryption keys whose key hierarchy is protected by a key stored in a Securosys HSM. The plugin works with both on-premise Primus HSMs and with CloudHSM.
Benefits
- Encrypt data in MariaDB at rest.
- Encrypt everything, or selectively encrypt individual tables.
- Protect sensitive data: personal information, customer details, financial information, R&D data, and business secrets.
- Securely manage the encryption keys with a Securosys HSM.
- Optionally, protect the keys Smart Key Attributes (SKA): this enables fine-grained controls over who is authorized to decrypt the database tables.
Limitations
Please note that encryption-at-rest protects against an attacker who is able to copy the database files from disk. It does not protect against malicious database usage (such as SQL injections) or against an attacker who can take a memory dump.
MariaDB supports multiple storage engines. Only the Aria and InnoDB storage engines support encryption. The Securosys encryption plugin has only been tested with InnoDB.
The Securosys encryption plugin does not support key rotation.
Additionally, please be aware of the limitations of the MariaDB encryption implementation.