1

For MariaDB encryption at-rest, my setting is

[mysqld]
# at-rest encryption
plugin_load_add = file_key_management
file_key_management_filename = /etc/mysql/rest/keyfile.enc
file_key_management_filekey = FILE:/etc/mysql/rest/keyfile.passwd
file_key_management_encryption_algorithm = AES_CBC

However, if hackers steals the database, they has access to both keyfile.enc and keyfile.passwd and the point of encryption at-rest is useless.

Can I tell the key manager not to read the super password from the file. Instead, read it from the user at the startup?

asked Aug 14, 2020 at 7:32
1
  • The only options are those documented Commented Aug 14, 2020 at 7:39

1 Answer 1

1

Usually database is started as a service in background, so entering keys at startup will not be possible.

To separate key(s) and data you have the following options:

  • store keys on a separate device which can be unplugged after start of database server.
  • use an external key management system, e.g Eperi which also supports key rotation.
answered Aug 14, 2020 at 7:46
1
  • Is AWS Key Management Plugin similar to Eperi in this sense? There is no much information in the link about how Eperi connects to another server. A bit hard to evaluate it. Commented Aug 14, 2020 at 7:57

Your Answer

Draft saved
Draft discarded

Sign up or log in

Sign up using Google
Sign up using Email and Password

Post as a guest

Required, but never shown

Post as a guest

Required, but never shown

By clicking "Post Your Answer", you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.