Google donates on-disk encryption to MariaDB
17 September 2015 | 0
MariaDB, the binary-compatible fork of MySQL that has gained adherents ranging from Wikipedia to Red Hat, has unveiled version 10.1 with built-in encryption courtesy of another MariaDB fan, Google.
But take heed: the encryption provided by Google — on-disk encryption of database tables — does not protect against the most common forms of attack levied against databases in the wild.
Tables under lock and key
From a technical standpoint, Google’s contributions are impressive, as they provide at-rest encryption for data at the instance and table level. The encryption isn’t implemented at the OS or file-system level, but within MariaDB for the XtraDB and InnoDB storage engines. (Another encryption function in 10.1, which encrypts only individual tables, was developed and donated by a different company, Eperi.)
MariaDB claims that encryption support can be added to an existing database without taking it offline, aside from the initial upgrade process. Keys are stored apart from the database in a separate file and can be rotated automatically. Encryption can be applied to temporary tables and files as well (another Eperi feature). Finally, the resulting encrypted table is transparent to database clients, so no changes need to be made on the application side.
However, encryption comes with a performance overhead. According to documentation for the encryption feature, adding encryption drags down performance by approximately 10%.
Look out for the injections
The biggest word of warning: On-disk encryption really only protects against direct access of the files themselves — that is, from someone at the service provider snooping on the disk. It cannot guard against hacks levied via SQL injection — a common mode of attack.
It’s possible to protect individual columns or rows with MySQL’s native encryption functions, allowing access to that data only to specific users or under special circumstances. But such security has to be implemented by the database developer and typically requires reworking existing client applications as well.
Third-party MySQL encryption solutions have been a staple of the market. Apart from Eperi, Penta Security Systems provides an add-on for MariaDB and MySQL called MyDiamo. Unlike the Google-donated solution, MyDiamo provides column-level encryption and one-way hashing, and the company claims its solution doesn’t require modifying a client app.
Google has long been said to make use of MySQL/MariaDB internally, and it previously contributed code to the project from those efforts. The company donated various replication and instance-monitoring bits in 2007 for MySQL 7. Most recently, it unveiled Google Cloud SQL managed database service, though it was based on MySQL, not MariaDB, most likely for the broadest possible compatibility and support.
Serdar Yegulalp, IDG News Service