MariaDB encryption is fully supported for the XtraDB and InnoDB storage engines.

Additionally, encryption is supported for the Aria storage engine, but only for
tables created with ROW_FORMAT=PAGE (the default).

MariaDB allows the user to configure flexibly what to encrypt. In XtraDB or InnoDB,
one can choose to encrypt:
•everything — all tablespaces (with all tables)
•individual tables
•everything, excluding individual tables

Additionally, one can choose to encrypt XtraDB/InnoDB log files (recommended)

Using encryption has an overhead of roughly 3-5%.

To encrypt the key file use the The OpenSSL command line utility. For example:

openssl enc -aes-256-cbc -md sha1 -k secret -in keys.txt -out keys.enc

Key management in MariaDB is provided by encryption plugins. MariaDB includes one

such plugin — file_key_management.

file_key_management plugin

The file_key_management plugin is an encryption plugin that reads encryption keys

from a file. This plugin has the following configuration options:
•file_key_management_filename: Where the file is located. This option is required,
the plugin will not work without it.
•file_key_management_filekey: An optional key to decrypt the key file. If the key
starts with FILE: the rest of the value is interpreted as a path to the file that
contains the key. You will most likely want to use the form FILE:/path/to/filekey
so that the actual filekey cannot be read by anyone via a SHOW command.
Consequently, that file would need the proper permissions so that mysql can read
it, but not unauthorized users.
•file_key_management_encryption_algorithm: the encryption algorithm to use.

Read about each plugin parameter or variable: http://dbversity.com/mariadb-data-

encryption-at-rest/

[mysqld]
file_key_management_filename=/home/mdb/keys.enc
file_key_management_filekey=secret
file_key_management_encryption_algorithm=aes_cbc

Encrypting data

To enable encryption you have to load an encryption plugin, for example a

file_key_management plugin, and configure storage engines to use it. The latter is
storage engine specific:

XtraDB and InnoDB

•Set innodb-encrypt-tables to ON or FORCE.
•Set innodb-encrypt-log to ON.

To fine-tune the encryption, you can use following variables:

Variable Value Description

innodb-encrypt-tables ON, OFF, or FORCE Enable encryption for tables
innodb-encrypt-log Boolean Enable encryption for log files
innodb-encryption-rotate-key-age Positive integer Re-encrypt in background all
pages that were encrypted with a key at least that many versions old
innodb-encryption-rotation-iops Positive integer Use this many Input/Output
operations per second for background key rotation
innodb-encryption-threads Positive integer Number of threads performing background
key rotation and scrubbing

Note, that generally you should not enable only innodb-encrypt-tables while keeping
innodb-encrypt-log disabled.
In this setup log files will contain your data unencrypted.

The opposite case is fine, you may want to enable only innodb-encrypt-log, disable
innodb-encrypt-tables,
and activate encryption per table with the ENCRYPTED=YESoption.

Also it’a good idea to enable encryption for temporary tables

Enable XtraDB encryption:

[mysqld]
plugin-load-add=file_key_management.so
file-key-management
file-key-management-filename=/mount/usb1/keys.txt
innodb-encrypt-tables

Lab work out :

http://dbversity.com/mariadb-data-encryption-at-rest/

go to your data dir

pwd
ll -lhtr

check out an frm file:

strings tera_df_to_text.frm | head

check out ibd file:

xxd tera_df_to_text.ibd | head

strings tera_df_to_text.ibd | head

Generate keys:

openssl enc -aes-256-cbc -P -md sha1

 cat /etc/opt/rh/rh-mariadb101/pki/key.txt

ll -lhtr /opt/rh/rh-mariadb101/root/usr/lib64/mysql/plugin/file_key_management.so

cat /etc/opt/rh/rh-mariadb101/my.cnf

# Data Encryption at Rest

plugin-load = file_key_management.so
file_key_management_encryption_algorithm = aes_cbc
file_key_management_filename = /etc/opt/rh/rh-
mariadb101/pki/key.txt

innodb-encrypt-tables
innodb-encrypt-log
innodb-encryption-threads=4
innodb_file_per_table = ON

restart mysql/mariadb for changes to take effect

root@dbversity.com ~]# service rh-mariadb101-mariadb restart

Stopping rh-mariadb101-mariadb: [ OK ]

Enter PEM pass phrase:

Starting rh-mariadb101-mariadb: [ OK ]

https://mariadb.com/resources/blog/table-and-tablespace-encryption-on-mariadb-10-1/

To encrypt the data in a MariaDB 10.1 database, you can enable data-at-rest
encryption.
MariaDB allows the option to select the most suitable level of the encryption in
MariaDB:
Temporary files,
Aria tables,
InnoDB tablespaces,
InnoDB tables,
InnoDB log files and Binlogs.

Creating Encryption Keys:

There are different methods for creating encryption keys, depending on the
encryption plugin used.

Encryption plugins in MariaDB are needed to use the data-at-rest encryption

feature.

MariaDB currently supports two encryption plugins for real usage:

https://mariadb.com/resources/blog/table-and-tablespace-encryption-on-mariadb-10-1/

◦file_key_management plugin
◦Amazon Web Services (AWS) Key Management Service (KMS) Encryption Plugin:
Encryption plugins are responsible for both key management and for the actual
encryption and decryption of data.

Keys for file_key_management_plugin can be generated using OpenSSL with the

following command:

openssl enc -aes-256-ctr -k mylong2016secret@keyfor35fun -P -md sha1

The key file is a text file containing a key identifier and the hex-encoded key.

InnoDB Specified Table Encryption: Encrypting only a selected number of InnoDB

tables

Specified Table encryption means that the administrator chooses which tables to
encrypt.
This allows you to balance security with speed.
To use table encryption, you have to:

-Load the file-key-management-plugin

-Define the location of key file, and
-Define the AES method used.

MariaDB configuration file:

[mariadb]
plugin-load-add=file_key_management
file_key_management_filename=/mnt/usb/secret.txt
file_key_management_encryption_algorithm=AES_CTR

Can go on a Mount point on another Server==> NB:

file_key_management_filename=/mnt/usb/secret.txt

We recommend that you place the encryption key file on an external storage device
(e.g., a USB drive).
This external storage can be unmounted after the MariaDB server is started and
stored in secure location.

After this, the database developer may select which tables contain sensitive data
for encryption.
Encryption can be enabled for a table when it’s created or using the ALTER TABLE
statement

See examples of how to create an encrypted table: using either a create table or an
alter table statement

https://mariadb.com/resources/blog/table-and-tablespace-encryption-on-mariadb-10-1/

CREATE TABLE table1

(col1 INT NOT NULL PRIMARY KEY, secret CHAR(200))
ENGINE=InnoDB ENCRYPTED=YES;

CREATE TABLE table2

(col1 INT NOT NULL PRIMARY KEY, secret CHAR(200))
ENGINE=InnoDB;

ALTER TABLE table2

ENCRYPTED=YES encryption_key_id=2;

Note that the InnoDB redo-log is not encrypted by default, even when the tables
are.
Consider also using encryption for the redo-log.
InnoDB redo-logs can be encrypted with this one line to the MariaDB configuration
file:

[mariadb]
innodb-encrypt-log

InnoDB Transparent Tablespace Encryption

With tablespace encryption, all InnoDB tables and tablespaces are encrypted
including the system tablespace.
When configurating the server for the type of encryption, we recommended that you
also enable InnoDB redo-log encryption.

Below is an example of the configuration settings required:

[mariadb]
innodb-encrypt-tables
innodb-encrypt-log
innodb-encryption-threads = 4
plugin-load-add=file_key_management
file_key_management_filename=/mnt/usb/secret.txt
file_key_management_encryption_algorithm=AES_CTR
# for monitoring
innodb-tablespaces-encryption

After adding the above setting and restarted the server to implement them,
all existing tables and all new tables will be encrypted—unless specified otherwise
for a particular table.

Despite the configuration, MariaDB does allow encryption to be disabled for tables
that don’t require encryption.

This can be done when the table is created or by altering it later with the ALTER
TABLE statement.

Here’s an example of both scenarios:

CREATE TABLE table3

(col1 INT NOT NULL PRIMARY KEY, notsecret VARCHAR(150))
ENGINE=InnoDB ENCRYPTED=NO;

CREATE TABLE table4

(col1 INT NOT NULL PRIMARY KEY, notsecret VARCHAR(150))
ENGINE=InnoDB;

ALTER TABLE table4 ENCRYPTED=NO;

If you don’t want users to be able to create tables without encryption, you can set
the server to force encryption.
Just add the following line to the MariaDB confirguration file:
innodb-encrypt-tables=FORCE

https://severalnines.com/blog/database-security-fully-ssl-encrypt-mysql-galera-
cluster-clustercontrol
https://severalnines.com/blog/database-security-backup-encryption-transit-rest
https://severalnines.com/blog/how-encrypt-your-mysql-mariadb-backups

Testing ###############################

rpm -qa | grep -i openssl

ls -l /glide/mysql/lib/plugin

cd in data dir: Run the command below and it will prompt for a password

openssl enc -aes-256-cbc -P -md sha1

[root@mafiscotech02 data]# openssl enc -aes-256-cbc -P -md sha1

enter aes-256-cbc encryption password:
Verifying - enter aes-256-cbc encryption password:
salt=721C36D6CACD88A6
key=AAE0D574A7E2DF7C1C7A9E3AF06F3A570FF385702A8D5D62F8763E93257B3EF7
iv =A1F24F0309326CE59B7F4758474C8902

Do a better job by reading https://mariadb.com/kb/en/library/encryption-key-

management/

# openssl enc -aes-256-cbc -md sha1 -k your_passwd \

-in /etc/mysql/keys -out /etc/mysql/keys.enc

file_key_management_filename = /etc/mysql/keys.enc
file_key_management_filekey = FILE:/etc/mysql/.key

# openssl enc -aes-256-cbc -md sha1 -k Molafako27## -in /etc/mysql/keys -out

/etc/mysql/keys.enc

[mysqld]
plugin-load-add=file_key_management
innodb-encrypt-tables
innodb-encrypt-log
innodb-encryption-threads = 4
#file_key_management_filename=/mnt/usb/secret.txt
file_key_management_filename=/glide/mysql/data/key.txt
#file_key_management_encryption_algorithm=AES_CTR
file_key_management_encryption_algorithm=aes_cbc

# for monitoring
innodb-tablespaces-encryption

The File Key Management plugin supports two encryption algorithms: AES_CBC and
AES_CTR.
The recommended algorithm is CTR, but CTR is only available when MariaDB is built
with recent versions of OpenSSL.
Encrypting the key:

openssl enc -aes-256-cbc -P -md sha1

# openssl enc -aes-256-cbc -md sha1 -k Molafako27## -in /etc/mysql/key.txt -out

/etc/mysql/keys.enc

[mysqld]
plugin-load-add=file_key_management
innodb-encrypt-tables
innodb-encrypt-log
innodb-encryption-threads = 4
#file_key_management_filename=/mnt/usb/secret.txt
#file_key_management_filename=/glide/mysql/data/key.txt
file_key_management_filename = /etc/mysql/keys.enc
file_key_management_filekey = FILE:/glide/mysql/data/key.txt

#file_key_management_encryption_algorithm=AES_CTR
file_key_management_encryption_algorithm=aes_cbc

# for monitoring
innodb-tablespaces-encryption

Test That Worked:

#########################################################################

openssl enc -aes-256-cbc -P -md sha1

innodb-encrypt-tables
innodb-encrypt-log
innodb-encryption-threads = 4
plugin-load-add=file_key_management
file_key_management_filename=/glide/mysql/data/key.txt
file_key_management_encryption_algorithm=aes_cbc
# for monitoring
innodb-tablespaces-encryption

[root@mafiscotech02 data]# openssl enc -aes-256-cbc -P -md sha1

enter aes-256-cbc encryption password:
Verifying - enter aes-256-cbc encryption password:
salt=DC579B12D4694786
key=8D96C9337136FA7A4F2DEE7CE2F13A45669DF4781ADD1C315E839038D53AEA20
iv =47C3075BA2C137A665BF2E25BD963D9E
[root@mafiscotech02 data]# vi key.txt
[root@mafiscotech02 data]# ll
total 178248
-rw-rw----. 1 mysql mysql 16384 Dec 6 17:57 aria_log.00000001
-rw-rw----. 1 mysql mysql 52 Dec 6 17:57 aria_log_control
-rw-rw----. 1 mysql mysql 77594624 Dec 6 18:05 ibdata1
-rw-rw----. 1 mysql mysql 52428800 Dec 6 18:05 ib_logfile0
-rw-rw----. 1 mysql mysql 52428800 Dec 4 14:18 ib_logfile1
-rw-r--r--. 1 mysql mysql 100 Dec 6 18:20 key.txt
-rw-rw----. 1 mysql mysql 6 Dec 6 18:05 mafiscotech02.localdomain.pid
-rw-rw----. 1 mysql mysql 0 Dec 4 14:26 multi-master.info
drwx------. 2 mysql mysql 4096 Dec 4 14:18 mysql
-rw-rw----. 1 mysql mysql 12945 Dec 6 18:05 mysqld.log
drwx------. 2 mysql mysql 20 Dec 4 14:18 performance_schema
-rw-rw----. 1 mysql mysql 24576 Dec 6 18:05 tc.log
drwx------. 2 mysql mysql 6 Dec 4 14:18 test
[root@mafiscotech02 data]# pwd
/glide/mysql/data
[root@mafiscotech02 data]# vi /etc/my.cnf

cat key.txt

1;47C3075BA2C137A665BF2E25BD963D9E;8D96C9337136FA7A4F2DEE7CE2F13A45669DF4781ADD1C31
5E839038D53AEA20

[root@mafiscotech02 data]# /etc/init.d/mysql restart

Restarting mysql (via systemctl): [ OK ]
[root@mafiscotech02 data]# mysql -u root
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 3
Server version: 10.1.37-MariaDB MariaDB Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> show plugins;

+-------------------------------+----------+--------------------
+------------------------+---------+
| Name | Status | Type | Library
| License |
+-------------------------------+----------+--------------------
+------------------------+---------+
| binlog | ACTIVE | STORAGE ENGINE | NULL
| GPL |
| mysql_native_password | ACTIVE | AUTHENTICATION | NULL
| GPL |
| mysql_old_password | ACTIVE | AUTHENTICATION | NULL
| GPL |
| wsrep | ACTIVE | STORAGE ENGINE | NULL
| GPL |
| MRG_MyISAM | ACTIVE | STORAGE ENGINE | NULL
| GPL |
| MEMORY | ACTIVE | STORAGE ENGINE | NULL
| GPL |
| CSV | ACTIVE | STORAGE ENGINE | NULL
| GPL |
| MyISAM | ACTIVE | STORAGE ENGINE | NULL
| GPL |
| CLIENT_STATISTICS | ACTIVE | INFORMATION SCHEMA | NULL
| GPL |
| INDEX_STATISTICS | ACTIVE | INFORMATION SCHEMA | NULL
| GPL |
| TABLE_STATISTICS | ACTIVE | INFORMATION SCHEMA | NULL
| GPL |
| USER_STATISTICS | ACTIVE | INFORMATION SCHEMA | NULL
| GPL |
| PERFORMANCE_SCHEMA | ACTIVE | STORAGE ENGINE | NULL
| GPL |
| Aria | ACTIVE | STORAGE ENGINE | NULL
| GPL |
| InnoDB | ACTIVE | STORAGE ENGINE | NULL
| GPL |
| XTRADB_READ_VIEW | ACTIVE | INFORMATION SCHEMA | NULL
| GPL |
| XTRADB_INTERNAL_HASH_TABLES | ACTIVE | INFORMATION SCHEMA | NULL
| GPL |
| XTRADB_RSEG | ACTIVE | INFORMATION SCHEMA | NULL
| GPL |
| INNODB_TRX | ACTIVE | INFORMATION SCHEMA | NULL
| GPL |
| INNODB_LOCKS | ACTIVE | INFORMATION SCHEMA | NULL
| GPL |
| INNODB_LOCK_WAITS | ACTIVE | INFORMATION SCHEMA | NULL
| GPL |
| INNODB_CMP | ACTIVE | INFORMATION SCHEMA | NULL
| GPL |
| INNODB_CMP_RESET | ACTIVE | INFORMATION SCHEMA | NULL
| GPL |
| INNODB_CMPMEM | ACTIVE | INFORMATION SCHEMA | NULL
| GPL |
| INNODB_CMPMEM_RESET | ACTIVE | INFORMATION SCHEMA | NULL
| GPL |
| INNODB_CMP_PER_INDEX | ACTIVE | INFORMATION SCHEMA | NULL
| GPL |
| INNODB_CMP_PER_INDEX_RESET | ACTIVE | INFORMATION SCHEMA | NULL
| GPL |
| INNODB_BUFFER_PAGE | ACTIVE | INFORMATION SCHEMA | NULL
| GPL |
| INNODB_BUFFER_PAGE_LRU | ACTIVE | INFORMATION SCHEMA | NULL
| GPL |
| INNODB_BUFFER_POOL_STATS | ACTIVE | INFORMATION SCHEMA | NULL
| GPL |
| INNODB_METRICS | ACTIVE | INFORMATION SCHEMA | NULL
| GPL |
| INNODB_FT_DEFAULT_STOPWORD | ACTIVE | INFORMATION SCHEMA | NULL
| GPL |
| INNODB_FT_DELETED | ACTIVE | INFORMATION SCHEMA | NULL
| GPL |
| INNODB_FT_BEING_DELETED | ACTIVE | INFORMATION SCHEMA | NULL
| GPL |
| INNODB_FT_CONFIG | ACTIVE | INFORMATION SCHEMA | NULL
| GPL |
| INNODB_FT_INDEX_CACHE | ACTIVE | INFORMATION SCHEMA | NULL
| GPL |
| INNODB_FT_INDEX_TABLE | ACTIVE | INFORMATION SCHEMA | NULL
| GPL |
| INNODB_SYS_TABLES | ACTIVE | INFORMATION SCHEMA | NULL
| GPL |
| INNODB_SYS_TABLESTATS | ACTIVE | INFORMATION SCHEMA | NULL
| GPL |
| INNODB_SYS_INDEXES | ACTIVE | INFORMATION SCHEMA | NULL
| GPL |
| INNODB_SYS_COLUMNS | ACTIVE | INFORMATION SCHEMA | NULL
| GPL |
| INNODB_SYS_FIELDS | ACTIVE | INFORMATION SCHEMA | NULL
| GPL |
| INNODB_SYS_FOREIGN | ACTIVE | INFORMATION SCHEMA | NULL
| GPL |
| INNODB_SYS_FOREIGN_COLS | ACTIVE | INFORMATION SCHEMA | NULL
| GPL |
| INNODB_SYS_TABLESPACES | ACTIVE | INFORMATION SCHEMA | NULL
| GPL |
| INNODB_SYS_DATAFILES | ACTIVE | INFORMATION SCHEMA | NULL
| GPL |
| INNODB_CHANGED_PAGES | ACTIVE | INFORMATION SCHEMA | NULL
| GPL |
| INNODB_MUTEXES | ACTIVE | INFORMATION SCHEMA | NULL
| GPL |
| INNODB_SYS_SEMAPHORE_WAITS | ACTIVE | INFORMATION SCHEMA | NULL
| GPL |
| INNODB_TABLESPACES_ENCRYPTION | ACTIVE | INFORMATION SCHEMA | NULL
| BSD |
| INNODB_TABLESPACES_SCRUBBING | ACTIVE | INFORMATION SCHEMA | NULL
| BSD |
| CHANGED_PAGE_BITMAPS | ACTIVE | INFORMATION SCHEMA | NULL
| GPL |
| SEQUENCE | ACTIVE | STORAGE ENGINE | NULL
| GPL |
| FEEDBACK | DISABLED | INFORMATION SCHEMA | NULL
| GPL |
| partition | ACTIVE | STORAGE ENGINE | NULL
| GPL |
| file_key_management | ACTIVE | ENCRYPTION |
file_key_management.so | GPL |
+-------------------------------+----------+--------------------
+------------------------+---------+
56 rows in set (0.01 sec)

MariaDB [(none)]>

MariaDB [(none)]> use test

Database changed
MariaDB [test]> CREATE TABLE table1
-> (col1 INT NOT NULL PRIMARY KEY, secret CHAR(200))
-> ENGINE=InnoDB ENCRYPTED=YES;
Query OK, 0 rows affected (0.01 sec)

MariaDB [test]> CREATE TABLE table2

-> (col1 INT NOT NULL PRIMARY KEY, secret CHAR(200))
-> ENGINE=InnoDB;
Query OK, 0 rows affected (0.01 sec)

MariaDB [test]> ALTER TABLE table2

-> ENCRYPTED=YES encryption_key_id=2;
ERROR 1478 (HY000): Table storage engine 'InnoDB' does not support the create
option 'ENCRYPTION_KEY_ID'

--> We only have a key id of 1 in the key.txt file so command above is expected to
fail.

MariaDB [test]> ALTER TABLE table2 ENCRYPTED=YES encryption_key_id=1;

Query OK, 0 rows affected (0.02 sec)
Records: 0 Duplicates: 0 Warnings: 0

[root@mafiscotech02 data]# ll
total 178252
-rw-rw----. 1 mysql mysql 16384 Dec 6 18:26 aria_log.00000001
-rw-rw----. 1 mysql mysql 52 Dec 6 18:26 aria_log_control
-rw-rw----. 1 mysql mysql 77594624 Dec 6 18:36 ibdata1
-rw-rw----. 1 mysql mysql 52428800 Dec 6 18:36 ib_logfile0
-rw-rw----. 1 mysql mysql 52428800 Dec 4 14:18 ib_logfile1
-rw-r--r--. 1 mysql mysql 100 Dec 6 18:20 key.txt
-rw-rw----. 1 mysql mysql 6 Dec 6 18:26 mafiscotech02.localdomain.pid
-rw-rw----. 1 mysql mysql 0 Dec 4 14:26 multi-master.info
drwx------. 2 mysql mysql 4096 Dec 4 14:18 mysql
-rw-rw----. 1 mysql mysql 16562 Dec 6 18:26 mysqld.log
drwx------. 2 mysql mysql 20 Dec 4 14:18 performance_schema
-rw-rw----. 1 mysql mysql 24576 Dec 6 18:26 tc.log
drwx------. 2 mysql mysql 78 Dec 6 18:36 test
[root@mafiscotech02 data]# cd test/
[root@mafiscotech02 test]# ll
total 200
-rw-rw----. 1 mysql mysql 1569 Dec 6 18:35 table1.frm
-rw-rw----. 1 mysql mysql 98304 Dec 6 18:35 table1.ibd
-rw-rw----. 1 mysql mysql 1590 Dec 6 18:36 table2.frm
-rw-rw----. 1 mysql mysql 98304 Dec 6 18:36 table2.ibd
[root@mafiscotech02 test]# strings table1.frm | head
ENCRYPTED
PRIMARY

InnoDB
col1
secret
[root@mafiscotech02 test]# which xxd
/usr/bin/xxd
[root@mafiscotech02 test]# xxd table1.ibd | head
0000000: 05c1 6fdf 0000 0000 0000 0000 0000 0000 ..o.............
0000010: 0000 0000 0018 c0e6 0008 0000 0000 0000 ................
0000020: 0000 0000 0004 0000 0004 0000 0000 0000 ................
0000030: 0006 0000 0040 0000 0000 0000 0004 0000 .....@..........
0000040: 0000 ffff ffff 0000 ffff ffff 0000 0000 ................
0000050: 0001 0000 0000 009e 0000 0000 009e 0000 ................
0000060: 0000 ffff ffff 0000 ffff ffff 0000 0000 ................
0000070: 0000 0000 0003 0000 0000 ffff ffff 0000 ................
0000080: ffff ffff 0000 0000 0001 0000 0002 0026 ...............&
0000090: 0000 0002 0026 0000 0000 0000 0000 ffff .....&..........
[root@mafiscotech02 test]#