The AWS Key Management plugin was first added to the MariaDB source code in MariaDB 10.1.13.
MariaDB's data-at-rest encryption requires the use of a key management and encryption plugin. These plugins are responsible both for the management of encryption keys and for the actual encryption and decryption of data.
MariaDB supports the use of multiple encryption keys. Each encryption key uses a 32-bit integer as a key identifier. If the specific plugin supports key rotation, then encryption keys can also be rotated, which creates a new version of the encryption key.
The AWS Key Management plugin is a key management and encryption plugin that uses the Amazon Web Services (AWS) Key Management Service (KMS).
The AWS Key Management plugin uses the Amazon Web Services (AWS) Key Management Service (KMS) to generate and store AES keys on disk, in encrypted form, using the Customer Master Key (CMK) kept in AWS KMS. When MariaDB Server starts, the plugin will decrypt the encrypted keys, using the AWS KMS "Decrypt" API function. MariaDB data will then be encrypted and decrypted using the AES key. It supports multiple encryption keys. It supports key rotation.
Tutorials related to the AWS Key Management plugin can be found at the following pages:
mysqld
. More information about the credentials file can be found in the AWS CLI Getting Started Guide. The AWS Key Management plugin depends on the AWS SDK for C++, which uses the Apache License, Version 2.0. This license is not compatible with MariaDB Server's GPL 2.0 license, so we are not able to distribute packages that contain the AWS Key Management plugin. Therefore, the only way to currently obtain the plugin is to install it from source.
When compiling MariaDB from source, the AWS Key Management plugin is not built by default in MariaDB 10.1, but it is built by default in MariaDB 10.2 and later, on systems that support it.
Compilation is controlled by the -DPLUGIN_AWS_KEY_MANAGEMENT=DYNAMIC -DAWS_SDK_EXTERNAL_PROJECT=1
cmake
arguments.
The plugin uses AWS C++ SDK, which introduces the following restrictions:
gcc
4.8 or later, clang
3.3 or later, Visual Studio 2013 or later. libcurl
development package (e.g. libcurl3-dev
on Debian Jessie), uuid
development package and openssl
need to be installed. cmake
than is provided by default in your OS. Even after the package that contains the plugin's shared library is installed on the operating system, the plugin is not actually installed by MariaDB by default. There are two methods that can be used to install the plugin with MariaDB.
The first method can be used to install the plugin without restarting the server. You can install the plugin dynamically by executing INSTALL SONAME
or INSTALL PLUGIN
. For example:
INSTALL SONAME 'aws_key_management';
The second method can be used to tell the server to load the plugin when it starts up. The plugin can be installed this way by providing the --plugin-load
or the --plugin-load-add
options. This can be specified as a command-line argument to mysqld
or it can be specified in a relevant server option group in an option file. For example:
[mariadb] ... plugin_load_add = aws_key_management
Before you uninstall the plugin, you should ensure that data-at-rest encryption is completely disabled, and that MariaDB no longer needs the plugin to decrypt tables or other files.
You can uninstall the plugin dynamically by executing UNINSTALL SONAME
or UNINSTALL PLUGIN
. For example:
UNINSTALL SONAME 'aws_key_management';
If you installed the plugin by providing the --plugin-load
or the --plugin-load-add
options in a relevant server option group in an option file, then those options should be removed to prevent the plugin from being loaded the next time the server is restarted.
To enable the AWS Key Management plugin, you also need to set the plugin's system variables. The aws_key_management_master_key_id
system variable is the primary one to set. These system variables can be specified as command-line arguments to mysqld
or they can be specified in a relevant server option group in an option file. For example:
[mariadb] ... aws_key_management_master_key_id=alias/<your key's alias>
Once you've updated the configuration file, restart the MariaDB server to apply the changes and make the key management and encryption plugin available for use.
Once the AWS Key Management Plugin is enabled, you can use it by creating an encrypted table:
CREATE TABLE t (i int) ENGINE=InnoDB ENCRYPTED=YES
Now, table t
will be encrypted using the encryption key generated by AWS.
For more information on how to use encryption, see Data at Rest Encryption.
The AWS Key Management Plugin supports using multiple encryption keys. Each encryption key can be defined with a different 32-bit integer as a key identifier. If a previously unused identifier is used, then the plugin will automatically generate a new key.
When encrypting InnoDB tables, the key that is used to encrypt tables can be changed.
When encrypting Aria tables, the key that is used to encrypt tables cannot currently be changed.
The AWS Key Management plugin does support key rotation. To rotate a key, set the aws_key_management_rotate_key
system variable. For example, to rotate key with ID 2:
SET GLOBAL aws_key_management_rotate_key=2;
Or to rotate all keys, set the value to -1:
SET GLOBAL aws_key_management_rotate_key=-1;
Version | Status | Introduced |
---|---|---|
1.0 | Stable | MariaDB 10.2.6, MariaDB 10.1.24 |
1.0 | Beta | MariaDB 10.1.18 |
1.0 | Experimental | MariaDB 10.1.13 |
aws_key_management_key_spec
--aws-key-management-key-spec=value
enumerated
AES_128
AES_128
, AES_256
aws_key_management_log_level
--aws-key-management-log-level=value
enumerated
Off
Off
, Fatal
, Warn
, Info
, Debug
and Trace
aws_key_management_master_key_id
--aws-key-management-master-key-id=value
string
aws_key_management_mock
--aws-key-management-mock
boolean
OFF
OFF
, ON
aws_key_management_region
--aws-key-management-region=value
string
'us-east-1'
aws_key_management_request_timeout
--aws-key-management-request-timeout=value
integer
aws_key_management_rotate_key
aws_key_management_master_key_id
. Specify -1 to rotate all keys. --aws-key-management-rotate-key=value
integer
aws_key_management
OFF
- Disables the plugin without removing it from the mysql.plugins
table. ON
- Enables the plugin. If the plugin cannot be initialized, then the server will still continue starting up, but the plugin will be disabled. FORCE
- Enables the plugin. If the plugin cannot be initialized, then the server will fail to start with an error. FORCE_PLUS_PERMANENT
- Enables the plugin. If the plugin cannot be initialized, then the server will fail to start with an error. In addition, the plugin cannot be uninstalled with UNINSTALL SONAME
or UNINSTALL PLUGIN
while the server is running. --aws-key-management=value
enumerated
ON
OFF
, ON
, FORCE
, FORCE_PLUS_PERMANENT
© 2019 MariaDB
Licensed under the Creative Commons Attribution 3.0 Unported License and the GNU Free Documentation License.
https://mariadb.com/kb/en/aws-key-management-encryption-plugin/