For your eyes only (or Adding better encryption to MariaDB)

With MariaDB and MySQL we have always taken security seriously.

In MariaDB 10.0 we added roles to make it easier to administrate many users.

MariaDB and MySQL has also many different encryption functions, but what has been neglected in the past is to make encryption easy to use.

This is now about to change.

I recently had a meeting with Elmar Eperiesi-Beck from eperi about simplifying the usage of encryption. We agreed to start a close collaboration around encryption for MariaDB with an agenda to deliver something very secure and easy to use soon.

The things we are initially focusing on are:

  • Adding column level encryption.
    • This will be done at the field level, invisible for the storage engine.
  • Block level encryption for certain storage engines.
    • Initially we will target InnoDB and XtraDB.

MariaDB will initially support storing the security keys on a remote file systems, accessed only at startup, and later also support using a daemon for key management.

The above will make your encrypted data in MariaDB secure for:

  • Database users that has user access to the database.
  • Anyone that would attempt to steal the hard disk with the database.

By using the daemon approach a MariaDB installation will even be secure against database administrators, as they will not have any way to access the key data.

eperi has 11 years of experience with encryption and I am very happy to see them engage with MariaDB to provide better security to MariaDB users!

No comments: