Updated June 3, 2023
Introduction to MySQL encryption
MySQL Encryption is a process of encrypting a database that practices transforming the plain text and text-readable data records in the server database into a non-understandable hashed text with the help of an encryption algorithm.
Generally, when any user browsers data in a database, the data based on the table column type will be text-readable, several classically used field categories for the columns in the database table, like VARCHAR, INT, TEXT, and DATETIME, are in human-readable form, except blobs and some other categories of fields.
Thus, MySQL Encryption is performed either by encrypting the container that holds the stored MySQL data records, i.e., disk memory or by encrypting data information before directing it to the MySQL server.
Syntax
MySQL Enterprise Encryption delivers industry-typical functionality features for asymmetric encryption for protecting sensitive data during its lifespan, i.e., Public Key Cryptography. This MySQL Enterprise Encryption is responsible for encryption, digital signatures, key generation, and some cryptographic features for serving organizations to shield intimate data and fulfill regulatory necessities comprising Sarbanes-Oxley, HIPAA, and the PCI Data Security Standard.
Also, MySQL Enterprise Encryption provides DBAs as well as Developers the technical tools they require for the listed ones below:
- Asymmetric Public Key Encryption
- Asymmetric Public Key Decryption
- Generate Public/Private Key
- Provide Symmetric Keys from Public and Private Key pairs
- Digitally Sign Data
- Verify Data Signature
- Validation Data Authenticity
This permits the software developers to encrypt the data records with the support of the DHS, RDS, and DH encryption algorithms effortlessly.
MySQL Enterprise Encryption permits your enterprise the followings:
- Acquiring data using a combination of private, public, and symmetric keys to encode and decode data.
- Encrypting data kept in MySQL using DSA, RSA, or DH-type encryption algorithms.
- Digitally sign messages to authorize the genuineness of the source, i.e., non-repudiation and the reliability of the message.
- Eradicate the needless introduction to data by qualifying DBAs for handling encrypted data.
- Interoperate with any other cryptographic systems and utilizations without altering current applications.
- Evade disclosure of asymmetric keys inside client presentations or on disk.
The MySQL Enterprise TDE (Transparent Data Encryption) keeps a user’s perilous data safe by supporting data-at-rest encryption in the server database. It defends the privacy of the user information, avoids data breaches, and assistances meet controlling necessities consisting of:
- Payment Card Industry (PCI) Data Security Standard (DSS)
- Health Insurance Portability and Accountability Act (HIPAA)
- General Data Protection Regulation
- California Consumer Protection Act, etc.
How does encryption work in MySQL?
InnoDB tables in MySQL maintenances data-at-rest encryption for general tablespaces,file-per-table tablespaces, redo logs, undo logs, and the mysql system tablespace. In MySQL 8.0.16, to set up encryption by default for DBMS schemas and similarly, general tablespaces are also maintained, allowing DBAs to monitor whether tables produced in those schemas and associated tablespaces are encoded.
InnoDB implements a two-tier encryption key, which includes a master encryption key and the tablespace keys. When any tablespace in MySQL is encrypted, it is kept in the header. When any authentic user or an application must admittance encrypted tablespace information, InnoDB applies a master encryption key for decrypting the tablespace key. Here, the decrypted tablespace key version does not modify, but we can modify the master encrypted key as required. Thus, this action is denoted as master key rotation.
The data-at-rest encryption property depends on a keyring plugin to manage the master encryption key. This keyring file plugin is provided for all MySQL editions where the keyring data is stored in a file local to the server’s host. MySQL Enterprise Edition delivers an additional keyring plugin:
- Keyring_encrypted_file keeps keyring data within an encrypted file local to the server host.
- Keyring_okv comprises a KMIP client, i.e., KMIP 1.1, which implements a KMIP-compatible product for keyring storage which works as a back end. Supported KMIP-compatible products consist of centralized key organization solutions like Oracle Key Vault, Thales Vormetric key management, Gemalto KeySecure, and Fornetix key Orchestration.
- Keyring_aws connects with the Amazon Web Services (AWS) Key Management Service (KMS) for a key generation as a back end, and for key storage, applies a local file.
- Keyring_hashicorp joins with HashiCorp Vault for storage of the back end.
Examples
In MySQL 8.0.16, the variable named default_table_encryption regulates the encryption of an immediately generated tablespace except for an ENCRYPTION clause identified openly in the CREATE TABLESPACE statement. In the previous version of MySQL 8.0.16, you needed to specify the ENCRYPTION clause to enable encryption, as shown below:
CREATE TABLESPACE 'tbs1' ADD DATAFILE 'tbs.ibd' ENCRYPTION = 'Y' ENGINE=InnoDB;
For modifying the encryption of a current general tablespace, an ENCRYPTION clause should be stated:
ALTER TABLESPACE tbs ENCRYPTION = 'Y';
For encrypting the mysql system tablespace, MySQL 8.0.16 also supports it. This mysql system tablespace comprises the mysql system database and MySQL data dictionary tables; by default, it is unencrypted. So, to enable the encryption, we need to identify the tablespace name as well as the ENCRYPTION option within an ALTER TABLESPACE statement, as shown below:
ALTER TABLESPACE mysql ENCRYPTION = 'Y';
Also, for restricting encryption for this mysql system tablespace, we need to set ENCRYPTION = ‘N’ by applying an ALTER TABLESPACE query statement:
ALTER TABLESPACE mysql ENCRYPTION = 'N';
Remember that for allowing or restricting encryption for the mysql system, tablespace needs the privileges for CREATE TABLESPACE on all tables in the database shown in the instance, i.e., CREATE TABLESPACE on *.* in MySQL.
Whenever the option ENCRYPTION is stated in a query, CREATE TABLE or ALTER TABLE, it is documented in the table column CREATE_OPTIONS INFORMATION_SCHEMA.TABLES. We can check the column to verify tables that stay in encrypted file-per-table tablespace:
SELECT TABLESCHEMA, TABLENAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES WHERE CREATE _OPTIONS LIKE '%ENCRYPTION';
Conclusion
Precisely, all sensitive records need to be protected. So, here MySQL Encryption shows an imperative role in information security.
In MySQL, the data is encrypted in flight and at rest; therefore, the user’s delicate information is never visible. MySQL Encryption helps to secure info and maintain server backups also.
Recommended Articles
We hope that this EDUCBA information on “MySQL encryption” was beneficial to you. You can view EDUCBA’s recommended articles for more information.