Reputation: 1982
Does MySQL apply Encryption for Data at Rest by default?
I went through this page of MySQL Doc . It is still not clear to me if the data stored in the filesystem (majorly as .ibd file) is encrypted by default or not for MySQL v8.0.x? I see bunch of info on the Tablespaces stating:
The mysql system tablespace contains the mysql system database and MySQL data dictionary tables. It is unencrypted by default.
Does it also mean that the stored data is not encrypted by default? Can someone help me point to the official doc where it says so?
Upvotes: 1
Views: 1744
Answers (1)
Reputation: 11116
Yes, data is unencrypted by default.
Prior to MySQL 8.0.16, you have to explicitly set the encryption to enable it, see e.g. for File-Per-Table Tablespace Encryption:
Prior to MySQL 8.0.16, the ENCRYPTION clause must be specified to enable encryption.
which of course implies that if you don't specify it, it is disabled by default.
Since MySQL 8.0.16, the behaviour is inherited:
As of MySQL 8.0.16, the default_table_encryption system variable defines the default encryption setting for schemas and general tablespaces. CREATE TABLESPACE and CREATE SCHEMA operations apply the default_table_encryption setting when an ENCRYPTION clause is not specified explicitly.
By default, a table inherits the encryption setting of the schema or general tablespace it is created in. For example, a table created in an encryption-enabled schema is encrypted by default. This behavior enables a DBA to control table encryption usage by defining and enforcing schema and general tablespace encryption defaults.
but the default value for default_table_encryption is off:
Default Value OFF
Defines the default encryption setting applied to schemas and general tablespaces when they are created without specifying an ENCRYPTION clause.
The default_table_encryption variable is only applicable to user-created schemas and general tablespaces. It does not govern encryption of the mysql system tablespace.
Note that exisiting objects will not be encrypted automatically if you change the defaults, you have to alter them explicitly.
Upvotes: 3
Related Questions
- I need to encrypt MySQL Tables at rest.
- mysql encryption at rest
- How does Encryption on MySQL work MySQL version 5.7?
- MySQL Encryption
- Table Encryption in mysql
- mysql: encrypting and decrypting data
- Does it make sense to encrypt every value in MySQL?
- Does mysql have asymmetric encryption capabilities?
- MySQL encrypted columns
- MySQL connection and security