1. Transparent tablespace and log
encryption on MariaDB 10.1
using Amazon Key Management
Service
Jan Lindström, Principal Engineer, MariaDB Corporation
Amsterdam, Netherlands | October 5, 2016
4. 4
What is transparent encryption?
• Transparent to application
• Application does’t know anything about keys, algorithm, etc
• Anyone that can connect to MariaDB can dump data
• Not data-in-transit encryption (SSL/TLS)
• Not per-column encryption
• Not application-side encryption
• No encryption functions needed (AES_ENCRYPT())
5. 5
All data written to disk should be
encrypted
• InnoDB tablespaces (per-file and system)
• InnoDB log files
• Aria tables
• Temporary files
• Temporary tables
• Binary log
• No mysqlbinlog, though!
7. 7
Implementation
• MariaDB has a new interface for encryption plugins
• Key management
• Encryption/decryption
• Implemented co-operation together with Google and Eperi
• https://mariadb.com/kb/en/mariadb/encryption-plugins/
9. 9
Concepts
• Key ID
• ID 1 for system data, like InnoDB redo logs, binary logs, etc
• ID 2 (if available) for temporary data, like temporary files and temporary tables
• Other Ids as configured when creating tables, etc.
• Key Version (for rotation)
• Encryption algorithm
• Default AES_CBC
• Support for these items may vary across plugins!
15. 15
File_key_management
• Keys stored in a local file (note that this file could be on USB stick)
• No support for key rotation/version
• Key file itself can be encrypted (but used key in my.cnf)
• Do you feel good having your encryption keys sitting next to your data ?
16. 16
Eperi plugin
• Separate Eperi gateway software
• Licenses and downloads from Eperi’s web portal
• KMS
• Plugin opens listener that the KMS connects to in order to authenticate the
connecting MariaDB instance
• Page encryption server
• InnoDB actually sends pages to the Eperi gateway node to be encrypted!
18. 18
AWS KMS Encryption Plugin
• Amazon Web Services Key Management Service
• CloadTrail & CloudWatch
• Logging
• Auditing
• Notifications
• Identity and Access Management (IAM)
• Interesting possibilities
• MFA for MariaDB startup
• IAM roles to read keys
• AWS logging & alerts
19. 19
Requirements
• You need to sign up for Amazon Web Services
• You need to create IAM user
• MariaDB server will use these credentials to authenticate AWS server
• You need to create a master encryption key
• Used to encrypt the actual encryption keys that will be used by MariaDB
• You will need to configure AWS credentials
• You will need to configure MariaDB (naturally)
20. 20
AWS KMS Plugin
• Writes enrypted keys to local disk
• MariaDB must connect to KMS to decrypt keys
- MariaDB startup
- Creating a table that uses a new key
• Supports key rotation
• Limited platform support due to C++11 requirement of AWS SDK
• Requires C++11 compiler: gcc4.7+, clang 3.3+ or VS2013+
• RHEL
• CentOS 7
• ~600 lines
• Great reference for people who want to write their own plugins
21. 21
Credentials Management
• Identify and Access Management (IAM) policy for keys
• Authorized source addresses
• IAM users w/ restricted privileges
• Multi-Factor Authentication (2FA/MFA)
• AWS SDK
• Config file, environment variables, etc.
• Flexible wrapper program
• EC2 (Elastic Compute Cloud) instance IAM role