maria-discuss team mailing list archive

Thread
Date

Re: About data encryption

To: Cesar Hernandez <c.hernandez@xxxxxxxxxxxx>
From: Sergei Golubchik <serg@xxxxxxxxxxx>
Date: Thu, 14 Dec 2017 19:01:06 +0100
Cc: maria-discuss@xxxxxxxxxxxxxxxxxxx
In-reply-to: <30C5E9A7-AEE1-44FE-AC61-F508421C960E@medlabmg.com>
User-agent: Mutt/1.7.2 (2016-11-26)

Hi, Cesar!

On Dec 14, Cesar Hernandez wrote:
> Hi
> 
> Can someone tell me which algorithm uses MariaDB when using table
> encryption?  Looking at
> https://mariadb.com/kb/en/library/data-at-rest-encryption/ Seems to
> talk only about encryption of the key file, but not on the database
> data.

Not really, the manual talks about the data. Let me quote it here:

  The file_key_management_encryption_algorithm can be set to AES_CBC or
  AES_CTR. AES_CTR is not always available (only if MariaDB was built
  with recent openSSL) but in case it is available, we recommend to use
  it. If set to AES_CBC, the plugin will use AES with 128-bit keys in
  the CBC mode. If set to AES_CTR, the plugin will use AES with the
  128-bit keys in the CTR mode for encrypting tablespace pages (InnoDB,
  XtraDB, and Aria), and it will use AES in the authenticated GCM mode
  for temporary files (where the cyphertext is allowed to be larger than
  the plaintext).

See? "will use AES with the 128-bit keys in the CTR mode for encrypting
tablespace pages" - that is database data.

Regards,
Sergei
Chief Architect MariaDB
and security@xxxxxxxxxxx

References

About data encryption
From: Cesar Hernandez, 2017-12-14