In this sixth episode of the MySQL Security series, we will see how data-at-rest encryption helps organizations implement stronger security controls and satisfy regulatory compliance. You will be able to protect the privacy of your information, prevent data breaches and help meet popular regulatory requirements including GDPR, PCI DSS, HIPAA with MySQL Enterprise Transparent Data Encryption aka TDE.
In this blog post, we’ll discuss migrating data from encrypted Amazon MySQL RDS to encrypted Amazon Aurora.
One of my customers wanted to migrate from an encrypted MySQL RDS instance to an encrypted Aurora instance. They have a pretty large database, therefore using mysqldump or a similar tool was not suitable for them. They also wanted to setup replication between old MySQL RDS and new Aurora instances.
Spoiler: this is possible without any logical dump.
At first, I checked Amazon’s documentation on encryption and found nothing about this type of …
[Read more]Join Percona’s Chief Evangelist, Colin Charles as he presents Securing Your MySQL/MariaDB Data on Tuesday, July 11, 2017 at 7:00 am PDT / 10:00 am EDT (UTC-7).
This webinar will discuss the features of MySQL/MariaDB that when enabled and used improve the default usage of MySQL. Many cloud-based applications fail to:
- Use appropriate filesystem permissions
- Employ TLS/SSL for connections
- Require TLS/SSL with MySQL replication
- Use external authentication plugins (LDAP, PAM, Kerberos)
- Encrypt all your data at rest …
Join Percona’s Solutions Engineer, Dimitri Vanoverbeke as he presents Security and Encryption in the MySQL World on Thursday, July 6, 2017, at 7:00 am PDT / 10:00 am EDT (UTC-7).
MySQL and MariaDB Server provide many new features that help with security and encryption, both of which are extremely important in today’s world. Learn how to use these features, from roles to at-rest-encryption, to increase security. At the end of the webinar, you should understand how to have a securely configured MySQL instance!
…
[Read more]Welcome to Part 2 in a series of blog posts on MySQL encryption at rest. This post covers InnoDB tablespace encryption.
At Percona, we work with a number of clients that require strong security measures for PCI, HIPAA and PHI compliance, where data managed by MySQL needs to be encrypted “at rest.” As with all things open source, there several options for meeting the MySQL encryption at rest requirement. In this three-part series, we cover several popular options of encrypting data and present the various pros and cons to each solution. You may want to evaluate which parts of these tutorials work best for your situation before using them in production.
Part one of this series covered …
[Read more]This blog post looks at SSL connections and how they work in MySQL 5.7.
Recently I was working on an SSL implementation with MySQL 5.7, and I made some interesting discoveries. I realized I could connect to the MySQL server without specifying the SSL keys on the client side, and the connection is still secured by SSL. I was confused and I did not understand what was happening.
In this blog post, I am going to show you why SSL works in MySQL 5.7, and it worked previously in MySQL 5.6.
Let’s start with an introduction of how SSL worked in 5.6.
SSL in MySQL 5.6
The documentation for SSL in MySQL 5.6 is quite detailed, and it explains how SSL works. But first let’s make one thing …
[Read more]In this first of a series of blog posts, we’ll look at MySQL encryption at rest.
At Percona, we work with a number of clients that require strong security measures for PCI, HIPAA and PHI compliance, where data managed by MySQL needs to be encrypted “at rest.” As with all things open source, there several options for meeting the MySQL encryption at rest requirement. In this three-part series, we cover several popular options of encrypting data and present the various pros and cons to each solution. You may want to evaluate which parts of these tutorials work best for your situation before using them in production.
Part one of this series is implementing disk-level encryption using crypt+LUKS.
In MySQL 5.7, InnoDB has built-in encryption features. This solution has some cons, …
[Read more]In this blog post, we’ll look at the performance of SST data transfer using encryption.
In my previous post, we reviewed SST data transfer in an unsecured environment. Now let’s take a closer look at a setup with encrypted network connections between the donor and joiner nodes.
The base setup is the same as the previous time:
- Database server: Percona XtraDB Cluster 5.7 on donor node
- Database: sysbench database – 100 tables 4M rows each (total ~122GB)
- Network: donor/joiner hosts are connected with dedicated 10Gbit LAN
- Hardware: donor/joiner hosts – boxes with 28 Cores+HT/RAM 256GB/Samsung SSD 850/Ubuntu 16.04
The setup details for the encryption aspects in our testing:
- Cryptography libraries: openssl-1.0.2, …
TwinDB Backup supports encrypted backup copies since version 2.11.0. As usual the tool supports natively backup and restore operations, if backup copies are encrypted the tool takes care of decryption. Installing TwinDB Packages repository I will work with CentOS 7 system to show the example, but there are also packages for Ubuntu trusty and Debian […]
The post Howto Encrypt MySQL Backups on S3 appeared first on TwinDB.
Okay, so you’ve read the first post on enabling MariaDB’s data at rest encryption, and now you are ready to create an encrypted table.
And just to get it out of the way for those interested, you can always check your encrypted (and non-encrypted) table stats via:
SELECT * FROM INFORMATION_SCHEMA.INNODB_TABLESPACES_ENCRYPTION;
ENCRYPTION_SCHEME=1 means the table is encrypted and ENCRYPTION_SCHEME=0 means they are not.
But let’s get into some specific examples.
I find the following 4 tables interesting, as the first 3 essentially all create the same table, and the 4th shows how to create a non-encrypted table once you have encryption enabled.
CREATE TABLE t10 (id int) ENGINE=INNODB; CREATE TABLE t11 (id int) ENGINE=INNODB ENCRYPTED=YES; CREATE TABLE t12 (id int) ENGINE=INNODB …[Read more]