mysql at rest encryption

Mysql has built in at-rest encryption

In mysql config file (as of Ubuntu 20.04.1 LTS it is in /etc/mysql/mysql.conf.d/mysqld.cnf)

STEP 1

------

[mysqld]

early-plugin-load=keyring_file.so
keyring_file_data=/usr/local/mysql-cm-keyring/cmringfile  

------

STEP 2

Now, create the keyring_file_data folder.
NEEDS TO BE WRITABLE. File will be created when server starts

Then encrypt tables as you wish: with

    ALTER TABLE table_name encryption='Y'
    
    
    
notes:
  1) do NOT mess with cmringfile (all data will be lost)
  2) tail -f /var/log/mysql/error.log to debug
  3) learn more: https://dev.mysql.com/doc/refman/8.0/en/innodb-data-encryption.html#innodb-data-encryption-about
  4) This limits directory access, specifically /var/lib/mysql-keyring is meant to be used for the keyring.