MariaDB’s encryption at rest isn’t about scrambling data as it flies over the network; it’s about making sure your data is unreadable even if someone physically steals the hard drives your database lives on.
Let’s see it in action. Imagine you have a table that needs to be protected.
CREATE TABLE sensitive_data (
id INT PRIMARY KEY,
secret_info VARCHAR(255)
) ENCRYPTED WITH KEY 'my_secret_key';
When you insert data, it gets encrypted before being written to disk.
INSERT INTO sensitive_data (id, secret_info) VALUES (1, 'This is highly confidential!');
And when you query it, MariaDB decrypts it on the fly.
SELECT * FROM sensitive_data WHERE id = 1;
-- Output will show: 1, 'This is highly confidential!'
The magic happens because the data in the sensitive_data table, when viewed directly in the data files on disk, will look like gibberish. Only the MariaDB server, armed with the correct key, can make sense of it. This also applies to transaction logs and other binary log files if configured.
The primary problem MariaDB encryption at rest solves is data breach via physical theft or unauthorized access to storage media. If a server is stolen or its disks are removed and connected elsewhere, the data remains protected because the encryption key is managed separately. It’s a crucial layer of defense for sensitive information, meeting compliance requirements like GDPR or HIPAA.
Internally, MariaDB uses the PAGE_ENCRYPT plugin. When you enable encryption for a table, MariaDB encrypts each data page before it’s written to the InnoDB tablespace file. The encryption and decryption happen automatically at the page level by the InnoDB storage engine. The key management is handled by a separate key management system (KMS), which could be a simple file-based system or a more robust solution.
The core levers you control are:
- Key Management: How you store, access, and rotate your encryption keys. This is the most critical part. A compromised key means compromised data.
- Table-Level Encryption: Which specific tables you choose to encrypt. You don’t have to encrypt everything, allowing for a performance-tuned approach.
- Log Encryption: Whether to encrypt binary logs, which can contain sensitive data changes.
To set this up, you first need to install and enable the PAGE_ENCRYPT plugin. This is typically done in your my.cnf or my.ini configuration file.
[mysqld]
plugin_load_add=PAGE_ENCRYPT
Then, restart your MariaDB server. After the server restarts, you can create or alter tables to use encryption. The ENCRYPTED WITH KEY clause is used during table creation or alteration.
ALTER TABLE existing_table ENCRYPTED WITH KEY 'my_secret_key';
You can also encrypt binary logs by setting log_bin_encrypt to ON in your my.cnf, and binlog_encryption to ON for newer versions.
[mysqld]
log_bin=mysql-bin
binlog_encryption=ON
# For older versions:
# log_bin_encrypt=ON
When using file-based key management, you’ll typically have a directory containing encrypted key files. MariaDB will look for keys in a specified location. For example, you might configure:
[mysqld]
keyring_file_dir = /var/lib/mysql/keyring
The my_secret_key in the ENCRYPTED WITH KEY clause is not the actual encryption key itself, but an alias or identifier that MariaDB uses to look up the actual, much larger, encryption key managed by the keyring. The keyring securely stores the master encryption keys, and MariaDB uses these to derive per-table or per-file encryption keys.
The most surprising thing about MariaDB’s encryption at rest is that the performance impact is often negligible for read-heavy workloads. This is because the encryption/decryption happens at the page level and is heavily optimized by the InnoDB engine. The CPU overhead is usually minimal, and the bottleneck is far more likely to be disk I/O. The real performance hit comes when you have a write-heavy workload and the system is constantly encrypting new data pages before they hit the disk, especially if your CPU is already maxed out.
The next logical step after securing your data at rest is to consider how you’re managing access to that data and the keys that protect it.