The process involved in safely disabling data-at-rest encryption for your Aria tables is very similar to that of enabling encryption. To disable, you need to set the relevant system variables and then rebuild each table into an unencrypted state.
Don't remove the Encryption Key Management plugin from your configuration file until you have unencrypted all tables in your database. MariaDB cannot read encrypted tables without the relevant encryption key.
With tables that the user creates, you can disable encryption by setting the
aria_encrypt_tables system variable to
OFF. Once this is set, MariaDB no longer encrypts new tables created with the Aria storage engine.
SET GLOBAL aria_encrypt_tables = OFF;
Unlike InnoDB, Aria does not currently use background encryption threads. Before removing the Encryption Key Management plugin from the configuration file, you first need to manually rebuild each table to an unencrypted state.
SELECT TABLE_SCHEMA, TABLE_NAME FROM information_schema.TABLES WHERE ENGINE = 'Aria' AND ROW_FORMAT = 'PAGE' AND TABLE_SCHEMA != 'information_schema';
Each table in the result-set was potentially written to disk in an encrypted state. Before removing the configuration for the encryption keys, you need to rebuild each of these to an unencrypted state. This can be done with an
ALTER TABLE statement.
ALTER TABLE test.aria_table ENGINE = Aria ROW_FORMAT = PAGE;
Once all of the Aria tables are rebuilt, they're safely unencrypted.
MariaDB routinely creates internal temporary tables. When these temporary tables are written to disk and the
aria_used_for_temp_tables system variable is set to
ON, MariaDB uses the Aria storage engine.
To decrypt these tables, set the
OFF. Once set, all internal temporary tables that are created from that point on are written unencrypted to disk.
© 2019 MariaDB
Licensed under the Creative Commons Attribution 3.0 Unported License and the GNU Free Documentation License.