InnoDB storage engine supports transparent
data encryption for tables stored in file-per-table tablespaces.
This feature provides data-at-rest encryption for physical
tablespace data files.
This feature uses a two tier encryption key architecture, consisting of a master encryption key and tablespace keys. When a table is encrypted, a tablespace key is encrypted and stored in the tablespace header. When an application or authenticated user wants to access encrypted tablespace data, a master encryption key is used to decrypt the tablespace key.
The feature relies on a MySQL Keyring plugin for master encryption key management. MySQL provides these plugin choices:
keyring_file: A plugin that stores master encryption key data in a keyring file in the location specified by the
keyring_okv: A plugin that uses a KMIP-compatible product as a back end for keyring storage. Supported KMIP-compatible products include Oracle Key Vault (OKV) and Gemalto SafeNet KeySecure Appliance.
keyring_aws: A plugin that communicates with the Amazon Web Services Key Management Service for key generation and uses a local file for key storage.
keyring_file plugin is not intended as a
regulatory compliance solution, so either the
keyring_okv or the
keyring_aws plugin is recommended for a secure
If you have a KMIP-compatible product or an AWS KMS account and want to configure data encryption for your secure deployment, see Keyring Plugin Installation for plugin installation and configuration instructions.
After a keyring plugin is configured,
tables may be encrypted using the
CREATE TABLE or
TABLE. For instructions, refer to
InnoDB Tablespace Encryption.