This document discusses transparent encryption of MariaDB databases using the Amazon Key Management Service (KMS). It provides an overview of transparent encryption concepts, how encryption is implemented for InnoDB/XtraDB tables and logs, available encryption plugins including the AWS KMS plugin, and how to configure MariaDB for encryption using AWS KMS for key management. The AWS KMS plugin allows MariaDB to store encrypted encryption keys in AWS KMS and handle key rotation. Documentation links are also provided.
1. Transparent tablespace and log
encryption on MariaDB 10.1
using Amazon Key Management
Service
Jan Lindström, Principal Engineer, MariaDB Corporation
Amsterdam, Netherlands | October 5, 2016
4. 4
What is transparent encryption?
• Transparent to application
• Application does’t know anything about keys, algorithm, etc
• Anyone that can connect to MariaDB can dump data
• Not data-in-transit encryption (SSL/TLS)
• Not per-column encryption
• Not application-side encryption
• No encryption functions needed (AES_ENCRYPT())
5. 5
All data written to disk should be
encrypted
• InnoDB tablespaces (per-file and system)
• InnoDB log files
• Aria tables
• Temporary files
• Temporary tables
• Binary log
• No mysqlbinlog, though!
7. 7
Implementation
• MariaDB has a new interface for encryption plugins
• Key management
• Encryption/decryption
• Implemented co-operation together with Google and Eperi
• https://mariadb.com/kb/en/mariadb/encryption-plugins/
9. 9
Concepts
• Key ID
• ID 1 for system data, like InnoDB redo logs, binary logs, etc
• ID 2 (if available) for temporary data, like temporary files and temporary tables
• Other Ids as configured when creating tables, etc.
• Key Version (for rotation)
• Encryption algorithm
• Default AES_CBC
• Support for these items may vary across plugins!
15. 15
File_key_management
• Keys stored in a local file (note that this file could be on USB stick)
• No support for key rotation/version
• Key file itself can be encrypted (but used key in my.cnf)
• Do you feel good having your encryption keys sitting next to your data ?
16. 16
Eperi plugin
• Separate Eperi gateway software
• Licenses and downloads from Eperi’s web portal
• KMS
• Plugin opens listener that the KMS connects to in order to authenticate the
connecting MariaDB instance
• Page encryption server
• InnoDB actually sends pages to the Eperi gateway node to be encrypted!
18. 18
AWS KMS Encryption Plugin
• Amazon Web Services Key Management Service
• CloadTrail & CloudWatch
• Logging
• Auditing
• Notifications
• Identity and Access Management (IAM)
• Interesting possibilities
• MFA for MariaDB startup
• IAM roles to read keys
• AWS logging & alerts
19. 19
Requirements
• You need to sign up for Amazon Web Services
• You need to create IAM user
• MariaDB server will use these credentials to authenticate AWS server
• You need to create a master encryption key
• Used to encrypt the actual encryption keys that will be used by MariaDB
• You will need to configure AWS credentials
• You will need to configure MariaDB (naturally)
20. 20
AWS KMS Plugin
• Writes enrypted keys to local disk
• MariaDB must connect to KMS to decrypt keys
- MariaDB startup
- Creating a table that uses a new key
• Supports key rotation
• Limited platform support due to C++11 requirement of AWS SDK
• Requires C++11 compiler: gcc4.7+, clang 3.3+ or VS2013+
• RHEL
• CentOS 7
• ~600 lines
• Great reference for people who want to write their own plugins
21. 21
Credentials Management
• Identify and Access Management (IAM) policy for keys
• Authorized source addresses
• IAM users w/ restricted privileges
• Multi-Factor Authentication (2FA/MFA)
• AWS SDK
• Config file, environment variables, etc.
• Flexible wrapper program
• EC2 (Elastic Compute Cloud) instance IAM role