patternsqlMinor
encryption at rest for mysql
Viewed 0 times
encryptionmysqlforrest
Problem
A MySQL database needs to contain highly sensitive data that cannot be left unencrypted at rest. But yet the database needs to remain searchable by an app. What are the options for encryption at rest with MySQL?
I have looked into CryptDB but it has not been supported since early 2014, and CryptDB also does not integrate with Java naturally. Might be a lot of work to get CryptDB to work with Spring and eclipse, only to find that it is less and less supported as time passes by. And it seems like other row-level encryption methods are not yet viable, unless someone has suggestions.
So what are the database level encryption options for MySQL? And what are the file system encryption options related to a MySQL database running in CentOS 7?
The MySQL database interacts with a Spring MVC app exclusively.
Note: This is running on a dedicated physical box that ONLY has CentOS 7 installed. So we cannot use any Windows-specific tools.
I have looked into CryptDB but it has not been supported since early 2014, and CryptDB also does not integrate with Java naturally. Might be a lot of work to get CryptDB to work with Spring and eclipse, only to find that it is less and less supported as time passes by. And it seems like other row-level encryption methods are not yet viable, unless someone has suggestions.
So what are the database level encryption options for MySQL? And what are the file system encryption options related to a MySQL database running in CentOS 7?
The MySQL database interacts with a Spring MVC app exclusively.
Note: This is running on a dedicated physical box that ONLY has CentOS 7 installed. So we cannot use any Windows-specific tools.
Solution
If you have MYSQL installed and running on a Windows Server, you may want to look into BitLocker with TPM encryption plus PIN boot password. Even if the host OS is Windows but the CentOS is a VM, then this would suffice.
There's data-at-rest encryption so when it's at rest on a server disk partition not being accessed by some query, then using OS level full disk encryption such as BitLocker with TPM plus PIN boot password is fine per many regulations such as HITECH, HIPAA, etc.
Data-in-motion and Access Controls of who or what applications you allow to access the data is a different story but I'd look into something of that nature or equivalent for data-at-rest encryption specifically.
- TrueCrypt
- VeraCrypt
There's data-at-rest encryption so when it's at rest on a server disk partition not being accessed by some query, then using OS level full disk encryption such as BitLocker with TPM plus PIN boot password is fine per many regulations such as HITECH, HIPAA, etc.
Data-in-motion and Access Controls of who or what applications you allow to access the data is a different story but I'd look into something of that nature or equivalent for data-at-rest encryption specifically.
Context
StackExchange Database Administrators Q#111351, answer score: 2
Revisions (0)
No revisions yet.