Generate Keys
1. make keys file
# sudo su
# mkdir -p /etc/mysql/encryption
# cd /etc/mysql/encryption
# echo "1;"$(openssl rand -hex 32) > keys
# echo "2;"$(openssl rand -hex 32) >> keys
# echo "3;"$(openssl rand -hex 32) >> keys
# echo "4;"$(openssl rand -hex 32) >> keys
2. make password file
# openssl rand -hex 128 > password_file
3. make key enc
# openssl enc -aes-256-cbc -md sha1 -pass file:password_file -in keys -out keys.enc
Updating MariaDB Configuration
create config file
# sudo vim /etc/mysql/mariadb.conf.d/encryption.cnf
Pass content
[mariadb]
## File Key Management
plugin_load_add = file_key_management
file_key_management_filename = /etc/mysql/encryption/keys.enc
file_key_management_filekey = FILE:/etc/mysql/encryption/password_file
file_key_management_encryption_algorithm = aes_cbc
## InnoDB/XtraDB Encryption Setup
innodb_default_encryption_key_id = 1
innodb_encrypt_tables = FORCE ( or ON )
innodb_encrypt_log = ON
innodb_encryption_threads = 4
## Aria Encryption Setup
aria_encrypt_tables = ON
## Temp & Log Encryption
encrypt-tmp-disk-tables = 1
encrypt-tmp-files = 1
encrypt_binlog = ON
Change Permissions
# cd /etc/mysql/
# sudo chown -R mysql:root ./encryption
# sudo chmod 500 /etc/mysql/encryption/
# cd ./encryption
# chmod 400 keys.enc password_file
# chmod 644 /etc/mysql/mariadb.conf.d/encryption.cnf
Restart MariaDB
# sudo service mariadb restart
Check Result
REF
https://webdock.io/en/docs/how-guides/security-guides/how-to-enable-encryption-mariadb