Introduction to MySQL encryption
MySQL Encryption is a process of encrypting a database that practices transforming the plain text and text-readable data records in the server database into a non-understandable hashed text with the help of an encryption algorithm.
Generally, when any user browsers data in a database, then the data based on the table column type will be text-readable. Several of the classically used field categories for the columns in the database table like VARCHAR, INT, TEXT, and DATETIME are in human-readable form, except blobs and some other categories of fields.
Thus, MySQL Encryption is performed either by encrypting the container that holds the stored MySQL data records, i.e. say disk memory or encrypting data information before directing it to the MySQL server.
MySQL Enterprise Encryption delivers industry typical functionality features for asymmetric encryption for protecting sensitive data during its lifespan, i.e. Public Key Cryptography. This MySQL Enterprise Encryption is responsible for encryption, digital signatures, key generation, and some cryptographic features for serving organizations shield the intimate data and fulfill regulatory necessities comprising Sarbanes-Oxley, HIPAA, and the PCI Data Security Standard.
Also, MySQL Enterprise Encryption provides DBAs as well as Developers the technical tools they require for the listed ones below:
- Asymmetric Public Key Encryption
- Asymmetric Public Key Decryption
- Generate Public/Private Key
- Provide Symmetric Keys from Public and Private Key pairs
- Digitally Sign Data
- Verify Data Signature
- Validation Data Authenticity
This permits the software developers to encrypt the data records with the support of the DHS, RDS, and DH encryption algorithms effortlessly.
MySQL Enterprise Encryption permits your enterprise for the followings:
- Acquiring data using a combination of private, public, and symmetric keys to encode and decode data.
- Encrypting data kept in MySQL by using DSA, RSA, or DH type encryption algorithms.
- Digitally sign messages to authorize the genuineness of the source, i.e. non-repudiation and the reliability of the message.
- Eradicate the needless introduction to data by qualifying DBAs for handling encrypted data.
- Interoperate with any other cryptographic systems and utilizations without altering current applications.
- Evade disclosure of asymmetric keys inside client presentations or on disk.
The MySQL Enterprise TDE (Transparent Data Encryption) keeps a user’s perilous data safe by supporting data-at-rest encryption in the server database. It defends the privacy of the user information, avoids data breaches, and assistances meet controlling necessities consisting of:
- Payment Card Industry (PCI) Data Security Standard (DSS)
- Health Insurance Portability and Accountability Act (HIPAA)
- General Data Protection Regulation
- California Consumer Protection Act, etc.
How does encryption work in MySQL?
InnoDB tables in MySQL maintenances data-at-rest encryption for general tablespaces,file-per-table tablespaces redo logs, undo logs, and the mysql system tablespace. In MySQL 8.0.16, to set up encryption by default for DBMS schemas and similarly, general tablespaces is also maintained that allows DBAs for monitoring whether tables produced in those schemas and associated tablespaces are encoded.
InnoDB implements a two-tier encryption key, which includes a master encryption key and the tablespace keys. When any tablespace in MySQL is encrypted, then it is kept in the tablespace header. When any authentic user or an application needs to admittance encrypted tablespace information, InnoDB applies a master encryption key for decrypting the tablespace key. Here, the decrypted tablespace key version does not modify, but we can modify the master encrypted key as required. Thus, this action is denoted as master key rotation.
The data-at-rest encryption property depends on a keyring plugin for the management of the master encryption key. This keyring file plugin is provided for all MySQL editions where the keyring data is stored in a file local to the server’s host. MySQL Enterprise Edition delivers additional keyring plugin:
- Keyring_encrypted_file keeps keyring data within an encrypted file local to the server host.
- Keyring_okv comprises a KMIP client, i.e. KMIP 1.1, which implements a KMIP-compatible product for keyring storage which works as a back end. Supported KMIP-compatible products consist of centralized key organization solutions like Oracle key Vault, Thales Vormetric key management, Gemalto KeySecure, and also Fornetix key Orchestration.
- Keyring_aws connects with the Amazon Web Services (AWS) Key Management Service (KMS) for a key generation as a back end and for key storage applies a local file.
- Keyring_hashicorp joins with HashiCorp Vault for storage of back end.
In MySQL 8.0.16, the variable named default_table_encryption regulates the encryption of an immediately generated tablespace except for an ENCRYPTION clause which is identified openly in the CREATE TABLESPACE statement. In the preceding version of MySQL 8.0.16, the clause ENCRYPTION should be stated to permit encryption as written below:
CREATE TABLESPACE ‘tbs1’ ADD DATAFILE ‘tbs.ibd’ ENCRYPTION = ‘Y’ ENGINE=InnoDB;
For modifying the encryption of a current general tablespace, an ENCRYPTION clause should be stated:
ALTER TABLESPACE tbs ENCRYPTION = ‘Y’;
For encrypting the mysql system tablespace, MySQL 8.0.16 also supports it. This mysql system tablespace comprises the mysql system database along with MySQL data dictionary tables, and by default, it is unencrypted. So, for enabling the encryption, we need to identify the tablespace name as well as the ENCRYPTION option within an ALTER TABLESPACE statement as shown below:
ALTER TABLESPACE mysql ENCRYPTION = ‘Y’;
Also, for restricting encryption for this mysql system tablespace, we need to set ENCRYPTION = ‘N’ by applying an ALTER TABLESPACE query statement:
ALTER TABLESPACE mysql ENCRYPTION = ‘N’;
Do remember that for allowing or restricting encryption for the mysql system, tablespace needs the privileges for CREATE TABLESPACE on all tables in the database shown in the instance, i.e. CREATE TABLESPACE on *.* in MySQL.
Whenever the option ENCRYPTION is stated in a query, CREATE TABLE or ALTER TABLE, it is documented in the table column CREATE_OPTIONS INFORMATION_SCHEMA.TABLES. We can check the column to verify tables which stays in encrypted file-per-table tablespace:
SELECT TABLESCHEMA, TABLENAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES WHERE CREATE _OPTIONS LIKE ‘%ENCRYPTION’;
- In precise, all sensitive records need to be protected. So, here MySQL Encryption shows an imperative role in information security.
- In MySQL, the data is encrypted in-flight as well as at rest; therefore, the user’s delicate information is never visible. MySQL Encryption helps to secure info and maintain server backups also.
This is a guide to MySQL encryption. Here we discuss How does encryption work in MySQL, along with the Examples. You may also look at the following articles to learn more –