Encrypting Your MariaDB TDE Databases

There are two ways you can create keys to encrypt your MariaDB TDE database:

• You can create CloudKeys in the KeyControl Vault for Databases webGUI and use the Key ID of the CloudKey in the MariaDB database server.

• If you try to encrypt a database table in MariaDB with a key ID that is not in the KeyControl Vault for Databases, and you set "Allow automatic key creation from MariaDB" to yes when you created the Key Set, then the KeyControl Vault for Databases can automatically create the CloudKey for you. The name of the key will be in the format mariadb_key_<keyid>.

For example:

• If you create a database table with encryption and choose an encryption key from the KeyControl Vault for Databases, the table will be encrypted with that CloudKey.

• If you create a database table with encryption, but no encryption key, the table will be encrypted with the first available encryption CloudKey from the KeyControl Vault for Databases.

• If you create a database table with encryption and choose an encryption key that is NOT in the KeyControl Vault for Databases, one of the following will happen: 

  • If you had set 'Allow automatic key creation from MariaDB' to yes, then the KeyControl Vault for Databases will automatically create that CloudKey.

  • If you had set 'Allow automatic key creation from MariaDB' to no, then the table creation will fail, and no CloudKey will be created.

  If you create a database table with encryption but no encryption key ID, by default the table will be created with CloudKey 1.

Note: We recommend that you run the shutdown command (SHUTDOWN;) before you exit MariaDB to ensure that your encrypted tables are synchronized correctly. The shutdown command forces MariaDB to write encrypted data to disk.