marrowyung
asked on
What encryption MySQL and MariaDB offer?
Hi,
What encryption MySQL and MariaDB offer? MySQL offer the same as MariaDB ?
Encryption is on the whole disk level or DB level only ? row level or database file level?
What encryption MySQL and MariaDB offer? MySQL offer the same as MariaDB ?
Encryption is on the whole disk level or DB level only ? row level or database file level?
ASKER
how about MySQL ?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
"because of Oracle's trackrecord on maitaining software i thought it was wiser to switch to another DB"
What is that mean ? Whenever Oracle bought a software, it will kill it ?
and you are using MariaDB?
we are undergoing a study on MSSQL, MySQL, mariaDB, oracle and DB2, we want to know which one to switch to.
I know MySQL and MariaDB both support data at rest encryption.
Also as a DB, when tuned on the audit tools to log down security issue, MySQL or MariaDB will slow down a lot ?
what tools usually used for MySQL and MariaDB audit ?
What is that mean ? Whenever Oracle bought a software, it will kill it ?
and you are using MariaDB?
we are undergoing a study on MSSQL, MySQL, mariaDB, oracle and DB2, we want to know which one to switch to.
I know MySQL and MariaDB both support data at rest encryption.
Also as a DB, when tuned on the audit tools to log down security issue, MySQL or MariaDB will slow down a lot ?
what tools usually used for MySQL and MariaDB audit ?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
"or not maintain it proper: Java, OpenOffice, Solaris, .... (almost all stuff from SUN)."
yeah, I heard about that ! but seems MS bought R do not kill it!
MS SQL server has the hadoop to SQL gateway free and scalable !
"I do use MariaDB although for minimalistic projects. (i have no big multi GB databases to run).
"
what is the relationship ?
"Never done an audit for DB's sorry i have no idea...."
I have done a lot ! this is one of the areas which is a big exam for a DB ! e.g. if you tune on all audit option, your DB can slow down a LOT ! it just like, DB is keep experiencing a lot of busy query !!
in MS SQL, if we tune on C2 audit ! the built in audit, the whole DB will just looks like it is hanged ! as DB LOG DOWN everything.
But this kind of paid DB will have a lot of audit feature for get ride of it! e.g. log down aLL necessary action on the fly of all SQL behaviour without impacting any PRODUCTION performance.
what if it is PCI compliance, it is a MUST! MS SQL get ready of it for a long long time.!
"And the slightly bigger DB i have been involved with required fault tolerance above anything else. (Also running in a walled garden, so no security issues expected)."
lucky you !
For me, all DB I involved has a lot of security concern, e-commerce and government, etc. and they all get extreme hard loading and I need to tune it quickly ! like financial industry !
we don't consider postgresql at this moment.
yeah, I heard about that ! but seems MS bought R do not kill it!
MS SQL server has the hadoop to SQL gateway free and scalable !
"I do use MariaDB although for minimalistic projects. (i have no big multi GB databases to run).
"
what is the relationship ?
"Never done an audit for DB's sorry i have no idea...."
I have done a lot ! this is one of the areas which is a big exam for a DB ! e.g. if you tune on all audit option, your DB can slow down a LOT ! it just like, DB is keep experiencing a lot of busy query !!
in MS SQL, if we tune on C2 audit ! the built in audit, the whole DB will just looks like it is hanged ! as DB LOG DOWN everything.
But this kind of paid DB will have a lot of audit feature for get ride of it! e.g. log down aLL necessary action on the fly of all SQL behaviour without impacting any PRODUCTION performance.
what if it is PCI compliance, it is a MUST! MS SQL get ready of it for a long long time.!
"And the slightly bigger DB i have been involved with required fault tolerance above anything else. (Also running in a walled garden, so no security issues expected)."
lucky you !
For me, all DB I involved has a lot of security concern, e-commerce and government, etc. and they all get extreme hard loading and I need to tune it quickly ! like financial industry !
we don't consider postgresql at this moment.
ASKER
any update for us ?
if you mean query tracking, mariadb has a highly configurable audit plugin. it can log to an in memory database which won't slow the server too much
ASKER
skullnobrains,
no encryption, look at what other writer write.
no encryption, look at what other writer write.
sorry, i probably mixed with one of your other threads
disk level : easily feasible with geli ( including when providing raw disks to mysql/mariadb ). this is not the job of the sgbd
db level : this level is meaningless in mysql : either all dbs are lumped together or each table has it's file(s). but encrypting all tables of a db provides roughly the same feature.
table's level: yes: see above answer (noci if i recollect ) or encrypt the files at the filesystem level.
tablespace level : supported with innodb. see each engine's doc for other cases. many engines don't have tablespaces at all.
row level: not as far as i know. probably supported in some engines.
field level: see above answer. additionally this is the job of the application, not the database.
https://mariadb.com/kb/en/library/data-at-rest-encryption/
Encryption is on the whole disk level or DB level only ? row level or database file level?
disk level : easily feasible with geli ( including when providing raw disks to mysql/mariadb ). this is not the job of the sgbd
db level : this level is meaningless in mysql : either all dbs are lumped together or each table has it's file(s). but encrypting all tables of a db provides roughly the same feature.
table's level: yes: see above answer (noci if i recollect ) or encrypt the files at the filesystem level.
tablespace level : supported with innodb. see each engine's doc for other cases. many engines don't have tablespaces at all.
row level: not as far as i know. probably supported in some engines.
field level: see above answer. additionally this is the job of the application, not the database.
https://mariadb.com/kb/en/library/data-at-rest-encryption/
MariaDB allows the user to configure flexibly what to encrypt. In XtraDB or InnoDB, one can choose to encrypt:
everything — all tablespaces (with all tables)
individual tables
everything, excluding individual tables
Additionally, one can choose to encrypt XtraDB/InnoDB log files (recommended).
ASKER
"this is not the job of the sgbd"
what is sgbd ?
" but encrypting all tables of a db provides roughly the same feature."
I mean what encryption can be in DB level , like TDE ?
but both MySQL and mariaDB only encrypt data at rest only, right ? so it is table ,tablespace level and row level ?
what is sgbd ?
" but encrypting all tables of a db provides roughly the same feature."
I mean what encryption can be in DB level , like TDE ?
but both MySQL and mariaDB only encrypt data at rest only, right ? so it is table ,tablespace level and row level ?
sgbd is a general term for db engine. sorry, that was the french acronym.
yes, like TDE. encrypting the disk at the OS level with geli or whichever alternative you prefer provides the same feature. there is little point to do so in the db engine unless you want to selectively encrypt part of the data.
encrypting individual fields or rows automagically is not supported in either as far as i know. and there is no plan nor much point to do so.
also note that in flight encryption is essentially a scam if where clauses work on the corresponding fields/rows and should rather be performed by the application if where clauses are not expected to work anyway.
most of the 'in db engine' encryption mess is essentially a commercial scam that hardly covers any real life problem. security is not achieved by blindly encrypting anything you can.
i'm unsure asking so many redundant questions is an efficient way to solve whatever your actual problem is.
yes, like TDE. encrypting the disk at the OS level with geli or whichever alternative you prefer provides the same feature. there is little point to do so in the db engine unless you want to selectively encrypt part of the data.
encrypting individual fields or rows automagically is not supported in either as far as i know. and there is no plan nor much point to do so.
also note that in flight encryption is essentially a scam if where clauses work on the corresponding fields/rows and should rather be performed by the application if where clauses are not expected to work anyway.
most of the 'in db engine' encryption mess is essentially a commercial scam that hardly covers any real life problem. security is not achieved by blindly encrypting anything you can.
i'm unsure asking so many redundant questions is an efficient way to solve whatever your actual problem is.
ASKER
"most of the 'in db engine' encryption mess is essentially a commercial scam that hardly covers any real life problem. security is not achieved by blindly encrypting anything you can."
you seems saying encryption is should not implement in DB level ?
how about PCI compliance ?
you seems saying encryption is should not implement in DB level ?
how about PCI compliance ?
i don't say it should or should not.
- IF you want to encrypt the on-disk data, doing it in your sql engine or at the OS level makes little to no difference. actually the filesystem-level is safer because there is no reason why the sql engine should have the decryption key.
- encrypting data on-disk has zero effect on remote hacks ( since they are performed on RUNNING machines )
- ... and so on
PCI compliance does not state anywhere the sql engine should do encryption ( afaik ). basically you're expected to use ssl for wan connections, provide mild application layer security, and restrict access to wherever your servers are located.
REAL security in such contexts probably would require you split encrypted data between multiple locations which may or may not be feasible/easy in your personal case.
- IF you want to encrypt the on-disk data, doing it in your sql engine or at the OS level makes little to no difference. actually the filesystem-level is safer because there is no reason why the sql engine should have the decryption key.
- encrypting data on-disk has zero effect on remote hacks ( since they are performed on RUNNING machines )
- ... and so on
PCI compliance does not state anywhere the sql engine should do encryption ( afaik ). basically you're expected to use ssl for wan connections, provide mild application layer security, and restrict access to wherever your servers are located.
REAL security in such contexts probably would require you split encrypted data between multiple locations which may or may not be feasible/easy in your personal case.
ASKER
"s no reason why the sql engine should have the decryption key."
any problem with it ?
" encrypting data on-disk has zero effect on remote hacks"
So this mean can't hack (impossible!) or very hard to hack if encrypt on disk ?
"and restrict access to wherever your servers are located."
yeah this is very important !
" require you split encrypted data between multiple locations which may or may not be feasible/easy in your personal case."
usually how you do it ?
any problem with it ?
" encrypting data on-disk has zero effect on remote hacks"
So this mean can't hack (impossible!) or very hard to hack if encrypt on disk ?
"and restrict access to wherever your servers are located."
yeah this is very important !
" require you split encrypted data between multiple locations which may or may not be feasible/easy in your personal case."
usually how you do it ?
any problem with it ?
yes there is : the sql engine is more exposed than the system. the key should ne reside in it's memory as there are chances it could be retrieved remotely or possibly retrieved from a crash dump or the likes.
So this mean can't hack (impossible!) or very hard to hack if encrypt on disk ?
this means the remote attacker won't even notice the disk is encrypted and it makes no difference to him. disk encryption is useless in the context of remote hacks.
please do not make me rephrase again and again. i'm using my scarce free time to help you and this is a pain.
usually how you do it ?
don't you even have an idea ? i cannot explain every simple thing. and this is way beyond the scope of your question.
i'm not against side question but they require a little work on your side which you seem reluctant to do.
if you are a senior architect indeed, you may want to do a little personal work before you ask more questions.
Encryption is indeed only useful for data at rest.
So it will protect data while it is off-line, systems are shutdown, (and disk used in different systems), disks get dismounted... (a key is needed to remount them)... Also data while being transmitted is "at rest" ..., meaning you need to encrypt data links against eavesdropping as well as data modification.
So it will protect data while it is off-line, systems are shutdown, (and disk used in different systems), disks get dismounted... (a key is needed to remount them)... Also data while being transmitted is "at rest" ..., meaning you need to encrypt data links against eavesdropping as well as data modification.
ASKER
"Also data while being transmitted is "at rest""
Data transmitted is at rest and transmitting is not at rest, it is your definition, right ?
"meaning you need to encrypt data links against eavesdropping as well as data modification."
sure!
Data transmitted is at rest and transmitting is not at rest, it is your definition, right ?
"meaning you need to encrypt data links against eavesdropping as well as data modification."
sure!
ASKER
tks all
Yes. The data is at rest during transmission. (it's the packet headers etc. that is the active data, the content is just a binary object ).
ASKER
"The data is at rest during transmission"
?
is at rest AFTER transmitted, right?
?
is at rest AFTER transmitted, right?
Packets have (any network...) consist of a header and a payload.
The header is the active content during transmission (Source address, destination Address, checksum, traffic classes etc. etc.)
The payload is just a bunch of bytes THAT SHOULD NOT CHANGE during transmission...
A network is only interested in the header, content can be ANYTHING irrelevant to the network. ==> payload data is at rest.
In a VPN even source & destination are available to the outside world (source of VPN packet destination of the VPN packet.
The REAL ultimate source / destination is just payload withing the VPN packet. (And should be encrypted).
The Payload is active data before transmission and after reception, not during transmission.
The header is the active content during transmission (Source address, destination Address, checksum, traffic classes etc. etc.)
The payload is just a bunch of bytes THAT SHOULD NOT CHANGE during transmission...
A network is only interested in the header, content can be ANYTHING irrelevant to the network. ==> payload data is at rest.
In a VPN even source & destination are available to the outside world (source of VPN packet destination of the VPN packet.
The REAL ultimate source / destination is just payload withing the VPN packet. (And should be encrypted).
The Payload is active data before transmission and after reception, not during transmission.
ASKER
"The Payload is active data before transmission and after reception, not during transmission."
so this payload is the data we are transmitting, right ?
so your point is , when data on the disk, encrypted, when it is transmitting, the data part is not encrypted but at rest as it has no change during transmitting, right?
so this payload is the data we are transmitting, right ?
so your point is , when data on the disk, encrypted, when it is transmitting, the data part is not encrypted but at rest as it has no change during transmitting, right?
You need to protect data at rest... that is when it can be analyzed out of context (a tap on the wire, copy of a disk etc.) without the OS or application working on it.
You read data from a file (in the file it is at rest... (so on disk encryption may be applicable) your program transforms it to send it through a network... (on the network this data is at rest again, network does nothing with it, except transport it)...
More or less like a freight of gold:
In the warehouse you need to protect it (protected warehouse, protected storage) when transporting it you need a forklift to put it in the truck possibly repacking gold bars on pallets of various sizes, when in the truck you the transport needs protection (armoured truck, escort like data in a VPN). unloading the truck and restocking a warehouse is again manipulating the form of the data. Different pallets etc.
You need to protect the payload, for computers that means often encrypting it unless you can ensure it is not accessible.
On networks there is no such ensurance, if onlaptops are portable and can be caried away, copies can be made (while systems are turned off) etc.
You read data from a file (in the file it is at rest... (so on disk encryption may be applicable) your program transforms it to send it through a network... (on the network this data is at rest again, network does nothing with it, except transport it)...
More or less like a freight of gold:
In the warehouse you need to protect it (protected warehouse, protected storage) when transporting it you need a forklift to put it in the truck possibly repacking gold bars on pallets of various sizes, when in the truck you the transport needs protection (armoured truck, escort like data in a VPN). unloading the truck and restocking a warehouse is again manipulating the form of the data. Different pallets etc.
You need to protect the payload, for computers that means often encrypting it unless you can ensure it is not accessible.
On networks there is no such ensurance, if onlaptops are portable and can be caried away, copies can be made (while systems are turned off) etc.
ASKER
tks.
Sorry, payload means data you are referring to, right ?
Sorry, payload means data you are referring to, right ?
Both databases need some form of filesystem because there is a file / table and a meta dataset / table.
Effectively meta data is NOT encrypted, the contents is...
Here is what MariaDB can do for you:
https://mariadb.com/resources/blog/table-and-tablespace-encryption-mariadb-101