Data Encryption – Data at Rest & Data-in-Transit
on Mariadb Galera Cluster
Refer Setting up of Galera cluster environment for MariaDB 10.6.5 to setup a working cluster. Enabling
encryption for the cluster can be done before bootstrapping the cluster as well.
VX Rails VM servers used for configuring the Galera cluster:
o galeraclusternode1VM - 172.30.82.8 – (Node 1 - Bootstrap node)
o galeraclusternode2VM - 172.30.82.6 – (Node 2)
o galeraclusternode3VM - 172.30.82.7 – (Node 2)
Step 1: Bringing the Cluster Down
(Note: Take backup and get permission before bringing down the cluster)
1) Using systemctl stop mariadb, stop each of the nodes in Galera cluster in the descending order of
the node.
2) Once DB server is stopped in all the 3 nodes, the cluster is effectively down.
Step 2: Creating encrypted key file for Data-at-Rest encryption in all the 3 nodes
3) Follow the Data-at-Rest encryption documentation and create encrypted key file. Path:
/etc/mariadb/encryption/
4) Change the owner and group to mysql for the key files and directory.
5) Copy the key files to the other 2 nodes under the same path and repeat the above step to change the
ownership
.
�Step 3: Creating SSL certificates & key files for server and client in all 3 nodes
3) Now follow the Data – in – Transit encryption documentation to create CA certificate, server and
client certificates and key files in bootstrap node (node 1). Path: /etc/mariadb/transit/
4) Names used for common name filed while creating SSL
Galera admin
Galera server
Galera client
5) Change the owner and group of the directory and the certificates & key files present in it.
6) Copy the transit directory to other 2 nodes as well & repeat changing the owner and group in other
nodes as well. Path: /etc/mariadb/transit/
7) Now we have all the files ready for enabling encryption.
Step 4: Configuring the settings in MariaDB configuration file
8) Copy the following configuration in each of the nodes respectively.
Configuration for Node 1:
[mariadb]
…..
#################### DATABASE ENCRYPTION ####################
#File Key Management Plugin
plugin_load_add = file_key_management
file_key_management_filename = /etc/mariadb/encryption/keyfile.enc
�file_key_management_filekey = FILE:/etc/mariadb/encryption/keyfile.key
file_key_management_encryption_algorithm = AES_CTR
# InnoDB Encryption Setup
innodb_encrypt_tables = ON
innodb_encrypt_log = ON
innodb_encrypt_temporary_tables = ON
innodb_encryption_threads = 4
innodb_encryption_rotation_iops = 2000
# Temp & Log Encryption
encrypt_tmp_disk_tables = ON
encrypt_tmp_files = ON
encrypt_binlog = ON
aria_encrypt_tables = ON
# Binary Log settings
master_verify_checksum = ON
log_slave_updates = ON
log_bin= gnode1
binlog_checksum = CRC32
## Securing the Database with ssl option and certificates – Server Configuration ##
## There is no control over the protocol level used. ##
## mariadb will use TLSv1.2 or TLSv1.3. ##
ssl_ca=/etc/mariadb/transit/ca-cert.pem
ssl_cert=/etc/mariadb/transit/server-cert.pem
ssl_key=/etc/mariadb/transit/server-key.pem
require_secure_transport=ON
�## TLS version setup – Usage Depends of version of MariaDB server ##
tls_version = TLSv1.2,TLSv1.3
[client-mariadb]
## Securing the Database with ssl option and certificates – Client Configuration ##
ssl_ca =/etc/mariadb/transit/ca-cert.pem
ssl_cert=/etc/mariadb/transit/client-cert.pem
ssl_key=/etc/mariadb/transit/client-key.pem
## TLS version setup – Usage Depends of version of MariaDB server ##
tls_version = TLSv1.2,TLSv1.3
[galera]
……
# Enable replication traffic encryption
wsrep_provider_options = "socket.ssl_key=/etc/mariadb/transit/server-key.pem;socket.ssl_cert=/
etc/mariadb/transit/server-cert.pem;socket.ssl_ca=/etc/mariadb/transit/ca-cert.pem"
Configuration for Node 2:
[mariadb]
…..
#################### DATABASE ENCRYPTION ####################
#File Key Management Plugin
plugin_load_add = file_key_management
file_key_management_filename = /etc/mariadb/encryption/keyfile.enc
file_key_management_filekey = FILE:/etc/mariadb/encryption/keyfile.key
file_key_management_encryption_algorithm = AES_CTR
# InnoDB Encryption Setup
innodb_encrypt_tables = ON
�innodb_encrypt_log = ON
innodb_encrypt_temporary_tables = ON
innodb_encryption_threads = 4
innodb_encryption_rotation_iops = 2000
# Temp & Log Encryption
encrypt_tmp_disk_tables = ON
encrypt_tmp_files = ON
encrypt_binlog = ON
aria_encrypt_tables = ON
# Binary Log settings
master_verify_checksum = ON
log_slave_updates = ON
log_bin= gnode2
binlog_checksum = CRC32
## Securing the Database with ssl option and certificates – Server Configuration ##
## There is no control over the protocol level used. ##
## mariadb will use TLSv1.2 or TLSv1.3. ##
ssl_ca=/etc/mariadb/transit/ca-cert.pem
ssl_cert=/etc/mariadb/transit/server-cert.pem
ssl_key=/etc/mariadb/transit/server-key.pem
require_secure_transport=ON
## TLS version setup – Usage Depends of version of MariaDB server ##
tls_version = TLSv1.2,TLSv1.3
[client-mariadb]
## Securing the Database with ssl option and certificates – Client Configuration ##
�ssl_ca =/etc/mariadb/transit/ca-cert.pem
ssl_cert=/etc/mariadb/transit/client-cert.pem
ssl_key=/etc/mariadb/transit/client-key.pem
## TLS version setup – Usage Depends of version of MariaDB server ##
tls_version = TLSv1.2,TLSv1.3
[galera]
……
# Enable replication traffic encryption
wsrep_provider_options = "socket.ssl_key=/etc/mariadb/transit/server-key.pem;socket.ssl_cert=/
etc/mariadb/transit/server-cert.pem;socket.ssl_ca=/etc/mariadb/transit/ca-cert.pem"
Configuration for Node 3:
[mariadb]
…..
#################### DATABASE ENCRYPTION ####################
#File Key Management Plugin
plugin_load_add = file_key_management
file_key_management_filename = /etc/mariadb/encryption/keyfile.enc
file_key_management_filekey = FILE:/etc/mariadb/encryption/keyfile.key
file_key_management_encryption_algorithm = AES_CTR
# InnoDB Encryption Setup
innodb_encrypt_tables = ON
innodb_encrypt_log = ON
innodb_encrypt_temporary_tables = ON
innodb_encryption_threads = 4
innodb_encryption_rotation_iops = 2000
�# Temp & Log Encryption
encrypt_tmp_disk_tables = ON
encrypt_tmp_files = ON
encrypt_binlog = ON
aria_encrypt_tables = ON
# Binary Log settings
master_verify_checksum = ON
log_slave_updates = ON
log_bin= gnode3
binlog_checksum = CRC32
## Securing the Database with ssl option and certificates – Server Configuration ##
## There is no control over the protocol level used. ##
## mariadb will use TLSv1.2 or TLSv1.3. ##
ssl_ca=/etc/mariadb/transit/ca-cert.pem
ssl_cert=/etc/mariadb/transit/server-cert.pem
ssl_key=/etc/mariadb/transit/server-key.pem
require_secure_transport=ON
## TLS version setup – Usage Depends of version of MariaDB server ##
tls_version = TLSv1.2,TLSv1.3
[client-mariadb]
## Securing the Database with ssl option and certificates – Client Configuration ##
ssl_ca =/etc/mariadb/transit/ca-cert.pem
ssl_cert=/etc/mariadb/transit/client-cert.pem
ssl_key=/etc/mariadb/transit/client-key.pem
## TLS version setup – Usage Depends of version of MariaDB server ##
tls_version = TLSv1.2,TLSv1.3
�[galera]
……
# Enable replication traffic encryption
wsrep_provider_options = "socket.ssl_key=/etc/mariadb/transit/server-key.pem;socket.ssl_cert=/
etc/mariadb/transit/server-cert.pem;socket.ssl_ca=/etc/mariadb/transit/ca-cert.pem"
Step 5: Bootstrap the cluster from Node1 and add the other nodes.
If a new Galera cluster is configured, start the cluster from node1 using the following command.
galera_new_cluster
Check the status of the cluster from MariaDB using the following query.
SHOW STATUS LIKE 'wsrep_cluster_size';
Check the Mariadb error log if there are any errors reported while bootstrapping the node.
If the cluster is brought down, check the status of the cluster using the following command.
vi /var/lib/mysql/grastate.dat
Check the status of safe_to_bootstrap. If safe_to_bootstrap=0, set safe_to_bootstrap=1, then start the
cluster with galera_new_cluster command.
Once the cluster is stable, start the Mariadb server in other 2 nodes using,
systemctl start mariadb
Once the DB server is started, the server will automatically join the cluster. Verify the cluster size with
the above-mentioned query.
�Verify the encryption status of the DB server using the commands mentioned in the respective
documents.
References:
1) Setting up of Galera cluster environment for MariaDB 10.6.5.
2) Data Encryption - Data-at-Rest on Mariadb documentation - For creating encrypted key file and
enabling data-at-rest encryption for DB server.
3) Data Encryption - Data-in-Transit on Mariadb server documentation - For creating CA certificate,
server and client key files and certificates.
4) https://blog.yasithab.com/centos/mariadb-galera-cluster-with-data-at-rest-and-data-in-transit-
encryption-on-centos-7/
