6

A MySQL database needs to contain highly sensitive data that cannot be left unencrypted at rest. But yet the database needs to remain searchable by an app. What are the options for encryption at rest with MySQL?

I have looked into CryptDB but it has not been supported since early 2014, and CryptDB also does not integrate with Java naturally. Might be a lot of work to get CryptDB to work with Spring and eclipse, only to find that it is less and less supported as time passes by. And it seems like other row-level encryption methods are not yet viable, unless someone has suggestions.

So what are the database level encryption options for MySQL? And what are the file system encryption options related to a MySQL database running in CentOS 7?

The MySQL database interacts with a Spring MVC app exclusively.

Note: This is running on a dedicated physical box that ONLY has CentOS 7 installed. So we cannot use any Windows-specific tools.

CodeMed
  • 497
  • 4
  • 9
  • 15

4 Answers4

2

If you have MYSQL installed and running on a Windows Server, you may want to look into BitLocker with TPM encryption plus PIN boot password. Even if the host OS is Windows but the CentOS is a VM, then this would suffice.

  • TrueCrypt
  • VeraCrypt

There's data-at-rest encryption so when it's at rest on a server disk partition not being accessed by some query, then using OS level full disk encryption such as BitLocker with TPM plus PIN boot password is fine per many regulations such as HITECH, HIPAA, etc.

Data-in-motion and Access Controls of who or what applications you allow to access the data is a different story but I'd look into something of that nature or equivalent for data-at-rest encryption specifically.

IT Thug Ninja
  • 2,378
  • 16
  • 18
2

You have several options:

If you want to encrypt the files containing the database you have dm-crypt included in the kernel to provide that kind of security https://gitlab.com/cryptsetup/cryptsetup/wikis/DMCrypt

If your app its outside the database machine also you want to encrypt the communication, you can use the ssl option that its already included in mysql https://dev.mysql.com/doc/refman/5.6/en/ssl-connections.html

And you can descend to the application level and cypher data on demand using the encryption functions that mysql provide like aes_encrypt https://dev.mysql.com/doc/refman/5.6/en/encryption-functions.html

PerroVerd
  • 246
  • 2
  • 4
1

MariaDB is a pretty-much a drop-in replacement for mysql. It has encryption of data at rest, from version 10.1.

https://mariadb.com/kb/en/mariadb/data-at-rest-encryption/

Picnic Pete
  • 11
  • 1
0

I don't know if you're considering commercial products but this product called MyDiamo has an engine-based MYSQL/MariaDB encryption solution.

What's good about the approach is that it is format and order preserving, which I think would be great for your 'search-ability' requirement. It will also allow you to have column-specific access control, enc/dec policies.

Disclosure: I've worked as a DB security consulting and used MyDiamo or/and its variants on many occasions.

NA AE
  • 101