nativeInstallermatomo

Encrypt a MariaDB database table

Before running the commands shown on this page, you should load the Bitnami stack environment by executing the installdir/use_APPNAME script (Linux and MacOS) or by clicking the shortcut in the Start Menu under “Start -> Bitnami APPNAME Stack -> Application console” (Windows). On OS X VMs, the installation directory is /opt/bitnami and OS X VM users can click the “Open Terminal” button to run commands. Learn more about the Bitnami stack environment and about OS X VMs.

NOTE: The Approach A sections referred to below do not apply to Bitnami native installers. Users of Bitnami native installers should refer only to the Approach B sections.


NOTE: We are in the process of modifying the configuration for many Bitnami stacks. On account of these changes, the file paths and commands stated in this guide may change depending on whether your Bitnami stack uses MySQL or MariaDB.

Linux and macOS native installer users can identify which database server is used in the stack by running the command below:

 $ test -d installdir/mariadb && echo "MariaDB" || echo "MySQL"

Windows native installer users can identify which database server is used in the stack by checking for the presence of the installdir/mariadb directory. If present, the installer uses MariaDB and if not, it uses MySQL.

Depending on which database server (MySQL or MariaDB) is used by the installation, use the appropriate guides in our documentation for database-related operations.

NOTE: Table encryption support is only available for InnoDB tables stored as individual files (the innodb_file_per_table option, enabled by default).

Follow the steps below to configure table encryption support:

  • Edit the configuration file, which depending on your installation type will be in one of the following locations:

    • For Bitnami installations following Approach A (using Linux system packages): installdir/mariadb/conf/my.cnf
    • For Bitnami installations following Approach B (self-contained installations): installdir/mariadb/my.cnf
  • Add the following lines to the configuration file, within the [mysqld] section, to activate the keyring_file plugin:

      early-plugin-load=keyring_file.so
      keyring_file_data=installdir/mariadb/data/keyring
    

    NOTE: The keyring file will be automatically created in the above location when the first table is encrypted. Keep a backup of this file as the data stored in the encrypted tables cannot be recovered without it.

  • Restart the MariaDB server:

      $ sudo installdir/ctlscript.sh restart mariadb
    
  • Confirm that the keyring_file plugin is active by running the query below in the client:

      SELECT PLUGIN_NAME, PLUGIN_STATUS FROM INFORMATION_SCHEMA.PLUGINS WHERE PLUGIN_NAME LIKE 'keyring%';
    

You should now be able to create an encrypted table by adding the ENCRYPTED=‘Y’ clause to any CREATE TABLE command. Here is an example:

CREATE TABLE mytable (id INT, value VARCHAR(255)) ENCRYPTION='Y'

Tables which are not already encrypted can be encrypted by using an ALTER TABLE command, such as the one below:

ALTER TABLE mytable ENCRYPTION='Y'
Last modification July 26, 2021