Using transparent data encryption with MySQL

Critotech trough ezNcrypt offers a table level transparent data encryption solution for MySQL.

This linux technology is purely declarative which mean you declare tables or database you want to encrypt.
You then have nothing more to care about.

What is nice with ezncrypt is that only the mysqld process can encrypt/decrypt the data. A set o UDF functions have been added to handle that. The key management allows to store the key locally or remotely.
Using table level transparent data encryption can be an interesting solution for many websites. Encrypting a few tables is often enough and less costly than encrypting the whole database. Most of the time partial encryption makes the whole data totally unusable. Many websites are hosted and data asset protection is a key worry.

Of course there exists many other solutions like file system level encryption or trigger based encryption.
File system level encryption put more burden on the CPU as all data is encrypted. A trigger based encryption solution is quite intrusive and does not solve all security issues.
When implementing encryption it is mandatory to also care about encryption of innodb recovery logs and and mysql binary logs.
It is also necessary to be careful about temporary tables pushed to disk. Swap space encryption should also be taken into account.

Having tested ezncrypt I must confess it is quite simple to setup. It still needs some improvement to be more flexible when dealing with complex configuration : multiple BASEDIR and DATADIR for people having multiple versions and instances of MySQL on the same platform.

Example of database encryption : encrypting the eztest database

[root@serge mysql]# db_encrypt eztest
ezncrypt | Checking system dependencies
mysql | getting information about database file location
………..|> using /var/lib/mysql
………..| Please provide a MySQL username & password
………..| Enter username: root
………..| Enter password:
………..| Looking if database exists
………..| done!
keymgr | Retrieving passphrase from KSS
………..|> Encryption password retrieved from KSS
………..| generating keys
………..| done!
ezncrypt | checking database encryption status
………..| done!
ezncrypt | checking disk space
………..| done!
………..| WARNING: MySQL will be stopped while encrypting data. Continue? (Y/n)
backup | backing up data
………..| This can take a while. Please be patient
………..| Executing /opt/mysql/bin/mysqlhotcopy to backup ‘eztest’
………..|> /backup/2009-12-23/eztest
………..| done!
mysql | stopping mysql service
………..| done!
ezncrypt | begin database protection
………..| moving data to encryption directory
………..| This can take a while. Please be patient
………..|> /var/lib/ezncrypt/ezncrypted/mysql/eztest
………..| done!
mysql | starting mysql service
………..| done!
mysql | adding key to mysql process
………..| done!
ezncrypt | congratulations. you have a database ready for ez-encryption!
………..Log Information: /var/log/ezncrypt/db_encrypt.log

ezNcrypth is based on very standard linux technology like ecryptfs

Leave a Reply

  

  

  


8 × = thirty two

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> <pre lang="" line="" escaped="" highlight="">