 So hi, hi everyone. So my name is Herve and I'll be talking to you about the data at rest encryption How is it? implemented in MariaDB my scale and the preference server, so we call you so Main goal of this talk is to provide like Well all the features that you can get encrypted like first why why use it? What's getting written to disk what's getting and not getting encrypted a bit about key management and how to do backup So what do we mean when we say data at rest data at rest in information technology means Inactive data that is stored physically In any digital form, so it's like databases spreadsheets offset backups so Most of the data That's collected It is being collected because it has some value So even if you're just holding the data, it has like some something sentimental value. I guess so So data at rest encryption or The other term is that I've seen is like a transparent Data encryption it provides a like a layer of security For the files that are stored on the on the disk This means like if your data gets stolen Or someone that gets like access to a server even if he They copied the data. They still can't can't use it without the without the encryption. So You know that or like maybe you have like you know what you don't want to like the Center operators If you have like a hosting somewhere, you know, you don't want them to get the access to the data. So so this is like getting more popular with the GDPR and Even like in the like past Like in the last few years you've seen like lots of data leaks from the from the databases So So what's really what's getting written to this? So some table space the most familiar file is IB data one. So it contains double right right buffer change buffer and data dictionary so under table space most famous files are undo zero zero one and undo zero zero two and You can have like your own like Is a red table spaces File per table space. This is if you're using like in the bee fire file per table option Read the log I do log files zero so then general table spaces and Temporary table spaces. So other log files these are like Analog General log audit log if you have the audit log plug-in So what's getting written to this but it's not encrypted encrypted. So currently data address encryption only covers In a DB So other storage engines are not supported like my rocks. Toku DB my my ism Soqware log, general log, analog are not also being encrypted audit log is not encrypted But as always we have like exceptions. So Aria Storage engine is in Maria DB if you're using my Maria DB is getting encrypted. It can be encrypted But only the storage engine not the area looks so audit log so in the conserver and Maria DB audit log plug-in is like a community based it's like free to use but it's not there is no option to that you can like Encrypted but in my scale 8 audit log plug-in is enterprise feature and They also Have like an option to to encrypted so So key management so in order to enable the the encryption We need to configure the cell to use the Sounder key management plug-ins. So these plug-ins are responsible for both the management of the encryption and and for the management of the encryption keys and the actual encryption and the encryption of the data, so So there's like a One one one important thing is like All of them like support multiple caring plug-ins, but Only one caring plug-in should be enabled at a at a time. So Enabling like multiple caring plug-ins is like not supported and it can result in the data loss So and like the the real thing is like the server won't if you like enable multiple server won't won't complain. So So During plugins in Maria DB We have like three file key management. It's like It's like a basic key management plug-in it reads the key from the plain text file So and Maria DB also offers like they have like a nice tutorial on how to encrypt this encrypt this file So it's not It's not readable by users. So Ah AWS key management so You can use this with the AWS key management service. So The ePeri key management. So I got this from the documentation Maria DB documentation, but when I got to the links of the ePeri It shows like 404. So I'm not sure if it's like supported or not So Preconocer also provides caring file plug-in. So it's like a plain text file, but Currently, it doesn't work If you encrypt it so it's not it's only like a plain text file. So Because I also provides the HashiCorp carrying load plug-in. So if you use like HashiCorp's vault You can store the the keys there. So Yeah, so my skill also provides the caring file plug-in But they have like few more. I think like five or six, but these are only available as enterprise so so like so when you encrypting the production data, you need to make sure that He you don't lose the key. So if the key is lost You get you lose all the access to the files. So they're good but also I've seen this in like in a few cases people backup the key With the data. So it's like, you know, working your house But leaving the key in the in the door or so that's not a not a good idea is also so on the top that's encrypted in MariaDB system table space encryption So it stores the double double right buffer and the change buffer It can have like one or more data files, but the the most popular ones is IB data. So It's encrypted in MariaDB since 10.1. So it was G8 in October 2015. So it's like Like to four and a half years. So it's also available in pre-conserve Five seven country is Experimental. So this is the in a dbc stable space encrypt variable can be used to encrypt it. So There we are also available in Pre-conserve 8 or 13 but not available in a toe In my scale later. So there's like an important limitation with this So You can use this only when you are like initializing the database So it's like you cannot convert the system table space from the encrypted state to the unencrypted I mean unencrypted or vice versa. So if conversion isn't like needed You create a new instance with the initialize You set up the inner db tables table space encrypt in your code file and then you like start the service and then you move your data To that instance, so my scale system table space encryption. So This is like this is like a ito specific In a toe mice in my scale a toe and precursor a toe System table space my scale system table space Contains the my system database and the data dictionary files. So so To enable it you can just do the auto table space and set the database and So yes, so this is like not available in the Maria db because Maria db is like Doesn't have doesn't doesn't separate the my scale system table space from the system table space So under the under table space encryption. So these are like most popular files are undo zero zero one undo zero zero two from the Also available in Maria db. So like most of these features are like available in Maria db for like four years. So in precursor country Experimental you can use this variable to do it but g8 in my scale eight and G8 in precursor so That's all limitations when you use this so When it's like once you enable it You can't actually disable it. So I mean you like you'll you'll always need the caring file to be caring plugin to be loaded because What once it's turned on The server can't guarantee that there are not any privacy record in the in the under table space. So Like this is not something we want to test on your like production so File the table space. This is one like One of the earliest Features available. So it's available in 5711 my scale And same in pre-connoisseur. We got it by the option merge. So how to use it? So really log encryption so like if you like encrypting the inner db tables and Don't have like encrypted real log. So data written to the Encrypted table still may be found in the read the log. So So, yeah, okay, you know table space Also available since In like this is like g8 most g8 feature as well. So You can use it by creating the table space Something at just, you know, at the encryption option on so Temporal table space encryption. So this one is like fun. So available also in Maria DB a while ago with these two option In pre-connoisseur 57 it's still still experimental These are the variables that you can use in 80 Available in it's like g8 in pre-connoisseur, but this is still not available in the in the in the my scale so These are like what was getting encrypted here. So it's like it's like the IB temp file This is the file that gets created on the on the server side. So And the temp files What's covered? It's like file sort That's like for example when you want to select with the statement like this case like a scale big result and with in hints like and like binary log Transaction caches and group application cache. So a replication so Money lock contains the sensitive information, right? So That's used to copy data between the service so In other words, so like If you get if you get everything encrypted, but you don't encrypt the belong you someone can still see all of your all of your data Yeah, it sucks. So but the thing is like This is only like You know is being encrypted on the disk. So you still need to do the like TLS if Set up the TLS for the application to get the data encrypted across the network. So Yeah, so in case so when the Yeah, one of the things if you do the You can encrypt this like this this feature encrypts both of the binary and the relay lock so if you if you set the feature on and Even if you don't have the binary logs on by default early logs will still get encrypted So once you get those encrypted the problem is like like not the problem like Limitation is that my scale be look cannot read them directly. So but you can use them It can you can read them by setting up the read from remote server options. So But this option like requires the server to be running. So In 5.7 and Maria Maria DB 10 If you keep the be look it requires the server to be restarted for Changes to take effect take effect in 8.0 in both my my scale my scale and Precran server implementation once you set the binoc encryption Server Automatically rotates the log and the new logs get encrypted So backups You can back up the encrypted data. That's probably a good feature. So you can use Picon extra backup to backup the my scale and Picon server Maria backup for Beking up the Maria DB stuff and you can use my scale dump to backup for All three of them. So the thing is like with my scale dump if you do the backup it won't be encrypted by default so so How does this look like so encrypt all things in Maria DB so features this is like the nice one so how to set up the how to encrypt the file key management and is like In concern, it's like this is this is the example with the HushCorp HushCorp world. So URL secret All the features in My escalate I use the king file. So and this is what but let's get encrypted or not All of them so The Maria DB team takes the crate for leading the way With the data-addressing encryption most of the most of their features have been here since 10.1 release and That's like as it like that's like four and a half years probably more so Nothing that's important is like all these features are disabled by default So you have to set up the hearing file your hearing plug-in and enable each each of these so Also like each of these have to have like a special option that you can that you need to set So it get so they get encrypted. So come to it. There is like There's no like master switch to in a you say encryption on and everything gets encrypted. That's still nothing so So in the Period of like a year year and a half so This this table Complete completely different except the Maria DB things But the PS the concern 5-7 Sound the feature features were available, but for only experimental and From my scale it can only file per table five file per table table space encryption and we do on the log encryption. So So like if you want to know how the sausage is made There is like a talk from my colleague Robert in the UA to room He will have like a more detailed talk about implementation of this of this feature in the my scale and precondition This is like more internal-oriented talks Even if you don't want to attend the talk you can watch the recording if you're interested in this These are the resources and thank you Questions Yeah, so regarding the performance I Haven't done any benchmarks, but from the like money I've seen from the money DB documentation They say like three to five percent and I've seen someone like around six. So Okay Yeah, you can you can I didn't tell this because you can like rotate the keys. So there is like a separating Depends on the implementation I mean, is it sorry? Yeah, so the thing is like it depends on the on the curing plugin you are using so Yeah, any more questions So, yeah, so the question was how does this complain compared with the Falsitum encryption so you can do that, but this is like more granular granular so you still have the encryption This like makes sense if you're like You're if you're like in the hosting environment So you have like someone that get needs to get the access to the data the other data That's not the my scale like my scale data. So that's the separation So so you can get you know, you can manage all the stuff, but you can you can't see the the data Okay, thank you