Utilizing encryption at rest to protect the database data living on your hard drive is a smart choice, especially when dealing with sensitive customer data. Encryption at rest protects the data files by encrypting the actual files the MySQL/MariaDB server reads and writes to on the file system. Although they are binary files they can still be read relatively easily using standard tools as well as being “imported” into a different MySQL/MariaDB server. Encryption at rest is just one part of a total solution and this post is going to cover what it takes to get it running using the AWS Key Management System for key control on macOS using Homebrew.
Update the Formulae
This post assumes you have an otherwise working system running macOS Mojave (it may work on others but I haven’t tested) and have successfully installed Homebrew. With Homebrew installed you’re ready to get started.
The default bottle provided by Homebrew does not compile the AWS Key Management plugin so we must install MariaDB from source. Before doing so, edit the formulae for MariaDB by issuing “brew edit mariadb” and editing the file in the following ways:
Add aws-sdk-cpp as a build dependency under line 13:
depends_on "cmake" => :build
depends_on "aws-sdk-cpp" => :build
depends_on "openssl"
Add the following definitions in the build section:
-DPLUGIN_AWS_KEY_MANAGEMENT=DYNAMIC
-DAWS_SDK_EXTERNAL_PROJECT=1
Your full formulae file should now look like this – https://gist.github.com/dustinrue/2e2f81d3569a89d37809d3c8eb6f92ec
Build MariaDB
With the formulae updated we can now install MariaDB from source which will ensure it is built with the AWS Key Management Plugin. To build MariaDB from source issue the following:
brew install mariadb -s
If you already have MariaDB installed then you can reinstall from source using this command:
brew reinstall mariadb -s
Building MariaDB takes some amount of time. Once the build is complete you can verify the plugin was created using mdfind like this:
mdfind -name aws_key_management
You should get something similar to this back:
/usr/local/Cellar/[email protected]/10.2.18/lib/plugin/aws_key_management.so
You have now successfully built MariaDB with the AWS Key Management plugin. You can now move on to configuring encryption at rest following the directions at https://mariadb.com/kb/en/library/aws-key-management-encryption-plugin/ and https://mariadb.com/kb/en/library/data-at-rest-encryption/