From 33252f5155446a85ee6967011b083f111ac882db Mon Sep 17 00:00:00 2001 From: Guillaume Lefranc Date: Thu, 22 Oct 2015 14:43:39 +0200 Subject: [PATCH 1/2] Update enable_encryption.preset Updated enable_encryption.preset so it contains necessary directives to be fully functional. Added relevant comments and references to the documentation. --- support-files/rpm/enable_encryption.preset | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/support-files/rpm/enable_encryption.preset b/support-files/rpm/enable_encryption.preset index 103572be48900..1eddb49cd567a 100644 --- a/support-files/rpm/enable_encryption.preset +++ b/support-files/rpm/enable_encryption.preset @@ -4,13 +4,26 @@ # ensure that everything that can be encrypted will be and your # data will not leak unencrypted. # +# Note that for the encryption to work, you must generate an IV and a key with +# the following command: openssl enc -aes-256-ctr -k mypass -P -md sha1 +# Please check https://mariadb.com/kb/en/mariadb/data-at-rest-encryption/ for more info. +# # If in the future more encryption related options will be implemented, # this file will enable them too. # [mariadb] -aria-encrypt-tables +# Load the encryption plugin +plugin-load-add=file_key_management.so +file-key-management +# Location of your encryption key, preferably on an external device or remote location +file-key-management-filename = /mount/usb1/keys.txt +# Encrypt InnoDB Tables and log +innodb-encrypt-tables +innodb-encrypt-log +innodb-encryption-threads=4 +# Encrypt Aria tables +aria-encrypt-tables=1 +# Encrypt binary log, temp tables and temp files encrypt-binlog encrypt-tmp-disk-tables encrypt-tmp-files -loose-innodb-encrypt-log -loose-innodb-encrypt-tables From 908e9f6abf569ed7d6a7c7c248d3ce1d1f227ea9 Mon Sep 17 00:00:00 2001 From: Guillaume Lefranc Date: Thu, 22 Oct 2015 15:16:10 +0200 Subject: [PATCH 2/2] Improved text Removed the IV bits which are not needed anymore, and referenced the key format in the comments --- support-files/rpm/enable_encryption.preset | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/support-files/rpm/enable_encryption.preset b/support-files/rpm/enable_encryption.preset index 1eddb49cd567a..8c29096678733 100644 --- a/support-files/rpm/enable_encryption.preset +++ b/support-files/rpm/enable_encryption.preset @@ -4,8 +4,10 @@ # ensure that everything that can be encrypted will be and your # data will not leak unencrypted. # -# Note that for the encryption to work, you must generate an IV and a key with +# Note that for the encryption to work, you must generate a key with # the following command: openssl enc -aes-256-ctr -k mypass -P -md sha1 +# Paste the key=[encryption key] contents into a file with the following format: +# 1;[encryption key] # Please check https://mariadb.com/kb/en/mariadb/data-at-rest-encryption/ for more info. # # If in the future more encryption related options will be implemented,