At Rest Encryption with MySQL and Vault

Tate Mcdaniel
Tate joined Percona in June 2017 as a Remote MySQL DBA. He holds a Bachelors degree in Information Systems and Decision Strategies from LSU. He has 10+ years of experience working with MySQL and operations management. His great love is application query tuning. In his off time, he races sailboats, travels the Caribbean by sailboat, and drives all over in an RV.
Charles Thompson
Charles Thompson is the Senior DBA for Empowered Benefits which implements a custom sharding solution with MySQL. He has over 7 years of experience administrating large scale MySQL deployments.


1.At Rest Encryption with MySQL & Vault Charles Thompson Tate McDaniel Empowered Percona

2.Welcome and Introductions

3. Charles Thompson Empowered Senior MySQL DBA with over seven years of experience in the industry. Proficient in server tuning, query/schema optimization, and troubleshooting. I’ve worked with small & large (400+ instance) scale organizations. I really enjoy scripting solutions to my problems!

4. Tate McDaniel Percona Senior MySQL DBA with 15 years in the industry, 2 years at Percona. Expert at query tuning, schema design, and optimization. In my spare time I do a lot of traveling. A lot. I actually live on a boat and sail around, so I guess you could say I’m always travelling. How is that for freedom? Want to work from “anywhere”, for real? Come talk to me about working for Percona!

5.Working From Home…


7.What Is This Talk About? 1. Reasons for encryption using MySQL and other databases 2. What types of encryption are available to use? 3. When to use the different types of encryption (pros and cons) 4. An overview of a health care use case 5. Percona Server working with Hashicorp’s Vault to achieve data at rest encryption 6. Questions?

8.Reasons for Encryption Modern demands for data security

9.Common Compliance Issues ● GDPR ● PCI DSS ● HIPAA ● Specialized industry (eg. DOD) 9

10.GDPR Requirements “What level of encryption is required for GDPR? 32(1) of the General Data Protection Regulation to implement appropriate technical and organisational measures to secure personal data. The GDPR deliberately does not define which specific technical and organisational measures are considered suitable in each case, in order to accommodate individual factors.“ 1 0 Source:

11.PCI DSS (eg: Monetary Transactions) “PCI encryption requirements Requirement 3 of the Payment Card Industry's Data Security Standard (PCI DSS) is to “protect stored cardholder data.” The public assumes merchants and financial institutions will protect data on payment cards to thwart theft and prevent unauthorized use. … Encryption of cardholder data with strong cryptography is an acceptable method of rendering the data unreadable in order to meet PCI DSS Requirement 3.4” 1 1 Source:

12.HIPAA Requirements (US healthcare) “Furthermore, the HIPAA encryption requirements for transmission security state that covered entities should “implement a mechanism to encrypt PHI whenever deemed appropriate”. This instruction is considerably vague and open to interpretation” Source: 1 2

13.Take Away… Policy makers have “kicked the can” down the road and put the onus on the industry to protect data. 1 3

14.Other Reasons ● Data breach can ruin a business ● Ethical or moral responsibility to protect people ● Protecting business secrets from competition 1 4

15.Types of Encryption Available in the MySQL Ecosystem

16.Types of Encryption ● Encryption at rest ● Encryption in transit ● Encryption in use 1 6

17.Encryption in Use Applications can encrypt data before storing it and decrypt it once retrieved. The application takes responsibility for the data security. 1 7

18.Encryption in Use 1 8

19.Encryption in Transit 1 9

20.Encryption in Transit Followed by use of a UNIX SOCKET connection instead of the TCP/IP mysql connection. 2 0

21.Encryption at Rest Full Disk Encryption 2 1

22.Encryption at Rest Encrypted Database Files (Database Encryption) 2 2

23.Encryption at Rest Application encryption still counts! 2 3

24.Choosing the Right Encryption Pros and cons of the different types of encryption

25.One Thing We Can All Agree On No matter who you are or what you do in the IT world, it is probably best to encrypt data in transit. For MySQL this means TLS + enforcing SSL on user accounts as well as replication users. GRANT … REQUIRE SSL; GRANT … REQUIRE X509; 2 5

26.The Exception Proves the Rule 2 6

27.Another Thing We Can All Agree On MySQL hasn’t got to a point of maturity where “in use” data is encrypted. Use of debuggers like strace can give access to the unencrypted data in memory, etc. 2 7

28.The Exception Proves the Rule Application encryption can ensure data in memory is encrypted. 2 8

29.Encryption at Rest - Costs 2 9