MariaDB AWS Key Management Service (KMS) Encryption Plugin

MariaDB 10.1 introduced Data at Rest Encryption
. By default we provide a file_key_management plugin. This is a basic plugin storing keys in a file that can be itself encrypted. This file can come from a usb stick removed once keys have been brought into memory. But this remains a basic solution not suitable for security compliance rules.

To secure keys in a better way we have introduced a new plugin call « Amazon Web Services (AWS) Key Management Service (KMS) Encryption Plugin. We provide a setup guide
and an advanced setup guide
with some nice go code to do 2 factors authentication (sample code written by Kolbe).

The AWS KMS encryption plugin is only compiled in the MariaDB Enterprise binaries. The sources code of this plugin is GPL and part of the MariaDB Server repository available here
. The instructions for building the plugin from source are there
.

This plugin is a good example of how to write a plugin to interface to a KMS. It can serve as an example for developing plugins for other KMS (Thales, Gemalto/Safenet, Azure Key Vault…). The KMS itself can be software only or associated with an HSM (Hardware Security Module) to introduced hardware protected keys and hardware encryption through cryptoprocessor. For some businesses this is part of compliance rules (PCI PTS).

稿源:Serge Frezefond 's blog (源链) | 关于 | 阅读提示

本站遵循[CC BY-NC-SA 4.0]。如您有版权、意见投诉等问题,请通过eMail联系我们处理。
酷辣虫 » 后端存储 » MariaDB AWS Key Management Service (KMS) Encryption Plugin

喜欢 (0)or分享给?

专业 x 专注 x 聚合 x 分享 CC BY-NC-SA 4.0

使用声明 | 英豪名录