InnoDB storage engine supports transparent
data encryption, which provides data-at-rest encryption for
physical tablespace data files.
This feature uses a two tier encryption key architecture, consisting of a master encryption key and tablespace keys. When a table is encrypted, a tablespace key is encrypted and stored in the tablespace header. When an application or authenticated user wants to access encrypted tablespace data, a master encryption key is used to decrypt the tablespace key.
A MySQL Keyring plugin is required for master encryption key management. MySQL provides these plugin choices:
keyring_file: Stores master encryption key data in a keyring file in the location specified by the
keyring_encrypted_file: Stores master encryption key data in an encrypted keyring file in the location specified by the
keyring_okv: Uses a KMIP-compatible product as a back end for keyring storage. Supported products include centralized key management solutions such as Oracle Key Vault, Gemalto KeySecure, Thales Vormetric key management server, and Fornetix Key Orchestration.
keyring_aws: Communicates with the Amazon Web Services Key Management Service for key generation and uses a local file for key storage.
keyring_encrypted_file plugins are not intended
as regulatory compliance solutions, so the other plugins are
recommended for a secure deployment.
If you have a KMIP-compatible product or an AWS KMS account and want to configure data encryption for your secure deployment, see Keyring Plugin Installation for instructions.
After a keyring plugin is configured,
tables may be encrypted using the
CREATE TABLE or
TABLE. For instructions, refer to
InnoDB Tablespace Encryption.