How to Enable Encryption in MariaDB

How do I enable encryption for MariaDB tables and connections?

ENABLE ENCRYPTION in MariaDB secures data in-flight (TLS) and at-rest (tablespace/table encryption) by toggling server variables and ALTER TABLE options.

Welcome to the Galaxy, Guardian!

Oops! Something went wrong while submitting the form.

Description

What does "enable encryption" mean in MariaDB?

MariaDB supports two separate features: TLS to encrypt client-server traffic and InnoDB/XtraDB encryption to protect data files on disk. Both are configured by the DBA, not ordinary DML.

How do I encrypt client connections?

Which server variables must be set?

Load a certificate pair, then add to my.cnf: [mysqld]ssl_cert=/etc/ssl/mariadb.crtssl_key=/etc/ssl/mariadb.keyssl_ca=/etc/ssl/ca.crtrequire_secure_transport=ON

How do clients use TLS?

Supply arguments: mariadb --ssl-ca=ca.crt --ssl-cert=client.crt --ssl-key=client.key.Frameworks such as JDBC add useSSL=true.

How do I enable at-rest encryption for new tables?

Step 1: Enable encryption plugin

In mysqld section add: plugin_load_add=file_key_management.so and restart. Provide file_key_management_filename and file_key_management_encryption_algorithm=AES_CTR.

Step 2: Turn on global defaults

Set: innodb_encrypt_tables=ON, innodb_encrypt_log=ON, innodb_encryption_threads=4. All subsequently created tablespaces will use encryption.

How do I encrypt an existing table?

Run ALTER TABLE Orders ENCRYPTION='Y', ENCRYPTION_KEY_ID=1;. MariaDB rebuilds the table and writes the data with the key from the keyring plugin.

Can I choose a per-table key?

Yes. Supply ENCRYPTION_KEY_ID for each table.Maintain keys via the file key-management file or an external KMS.

How do I confirm encryption is active?

Query information_schema.INNODB_TABLESPACES_ENCRYPTION. A non-NULL KEY_ID and ENCRYPTION_SCHEME=1 indicate success.

Best practices for production

Back up keyring files with the data backup.
Rotate keys regularly; use ALTER TABLE ... ENCRYPTION_KEY_ID.
Monitor the error log for keyring loading errors on restart.

Common mistakes and fixes

Missing keyring plugin: Encryption variables silently ignored. Load the plugin before enabling variables.

SSL certificate mismatch: Connection fails with ERROR 2026.Ensure CA file matches the server certificate chain.

Need a quick checklist?

1. Install keyring plugin
2. Define keys
3. Set innodb_encrypt_tables=ON
4. Restart server
5. ALTER existing tables
6. Verify via INFORMATION_SCHEMA.

Why How to Enable Encryption in MariaDB is important

How to Enable Encryption in MariaDB Example Usage


-- Encrypt the sensitive customer email column by moving table to an encrypted tablespace
ALTER TABLE Customers 
  ENCRYPTION='Y', 
  ENCRYPTION_KEY_ID=2;

How to Enable Encryption in MariaDB Syntax


-- Global variables (my.cnf)
[mysqld]
plugin_load_add=file_key_management.so
file_key_management_filename=/var/lib/mysql-keyring/keyring
file_key_management_filekey=FILE:/etc/mysql/keyfile
innodb_encrypt_tables=ON        -- Encrypt all new InnoDB tables
innodb_encrypt_log=ON           -- Encrypt redo/undo logs

-- Encrypt an existing table
ALTER TABLE Orders 
  ENCRYPTION='Y',          -- turn on encryption
  ENCRYPTION_KEY_ID=1;     -- choose key 1 from keyring

-- Create a table encrypted from birth
CREATE TABLE OrderItems (
  id INT PRIMARY KEY,
  order_id INT,
  product_id INT,
  quantity INT
) ENGINE=InnoDB 
  ENCRYPTION='Y' 
  ENCRYPTION_KEY_ID=1;

Common Mistakes

Setting innodb_encrypt_tables=ON without loading a keyring plugin. The server starts, but data stays unencrypted. Always load file_key_management or keyring_aws first.
Forgetting to back up the keyring file. Without it, encrypted tables become unreadable after restore. Always store keyring with your full backup.