MySQL encryption is one of the most common use cases we’re seeing in infrastructure clouds. Enterprises or software as a service (SaaS) vendors store sensitive or regulated data in the cloud using MySQL, and the immediate consequence is a requirement for data encryption.
Below, I’ll cover the MySQL encryption options used by our customers, analysis of pros and cons, and references to relevant knowledge base articles.
Information on additional database and encryption options supported by Porticor is available here.
MySQL Encryption: encrypting the entire database
Encryption of an entire MySQL database can be easily achieved by mounting the database store to an encrypted volume using a Porticor encryption agent or the inline Porticor Virtual Appliance.
MySQL Encryption: Entire database encryption benefits
The main benefit of encrypting an entire database is in the simplicity of the solution. There is no need to alter the code or update SQL statements. Simply attach the data store to an encrypted volume and you’re all set.
MySQL Encryption: The downside of entire database encryption
Full disk encryption might not be enough. Regulations like PCI require sensitive data to be specifically encrypted. In that case, we recommend you’d continue reading the additional database or application level encryption options mentioned below.
Entire database encryption conclusion
Mounting your database to an encrypted volume is considered a best practice and we would highly recommend doing so even if additional encryption options are used.
Database level encryption
Database level encryption with MySQL is relatively simple due to the AES_ENCRYPT / AES_DECRYPT built-in functions (important note: most modern databases like Oracle, PostgreSQL and others have similar built in functions). Calling these functions enables the encryption of specific statements according to your compliance requirements.
MySQL database level encryption benefits:
The benefits of database level encryption are many. Customers can make use of the existing MySQL encryption functions (you will not need to install an additional encryption agent), and encrypted data will not be available for the Linux admin or any super user, as it is encrypted before it is written to disk.
An important note regarding key management
It is considered best practice to generate as many encryption keys as practically possible for certain data sets. The Porticor key management API allows for such automatic creation of encryption keys. An example of MySQL integration with Porticor’s key management API is available here.
Application level encryption
Application level encryption is to be considered if the requirement is to encrypt the data before it hits the database server. This option would require some code changes (API integration as described above), but the end result is a highly secure architecture that can scale to automatically encrypt different data sets with different keys.
Many of our customers have integrated Porticor for application level encryption to protect each customer data with a unique encryption key. Further enhancements like key rotation or key revocation are obviously important and can be easily added.
Our RESTful API is described by our customers as a very easy and intuitive integration point.
MySQL Encryption: Summary
MySQL encryption is available in more than one shape and form. Identifying the relevant options is an important first step. Other MySQL encryption best practices include:
- Encrypt the entire volume regardless of additional MySQL or application level encryption. The performance hit is negligible and you’ll sleep better at night knowing you have more than one layer of encryption.
- Generate as many encryption keys as practically possible.
- Keep it simple as possible. Encryption doesn’t have to be complicated. Our RESTful API is an excellent example of simplifying a complicated task.