Google donates on-disk encryption to MariaDB, but security risks linger

The latest version of the MySQL database variant has table-level encryption, courtesy of Google, but it won't guard against the most common database attacks

Google donates on-disk encryption to MariaDB, but security risks linger

MariaDB, the binary-compatible fork of MySQL that has gained adherents ranging from Wikipedia to Red Hat, has unveiled version 10.1 with built-in encryption courtesy of another MariaDB fan, Google.

But take heed: The encryption provided by Google -- on-disk encryption of database tables -- doesn't protect against the most common forms of attack levied against databases in the wild.

Tables under lock and key

From a technical standpoint, Google's contributions are impressive, as they provide at-rest encryption for data at the instance and table level. The encryption isn't implemented at the OS or file-system level, but within MariaDB for the XtraDB and InnoDB storage engines. (Another encryption function in 10.1, which encrypts only individual tables, was developed and donated by a different company, Eperi.)

MariaDB claims that encryption support can be added to an existing database without taking it offline, aside from the initial upgrade process. Keys are stored apart from the database in a separate file and can be rotated automatically. Encryption can be applied to temporary tables and files as well (another Eperi feature). Finally, the resulting encrypted table is transparent to database clients, so no changes need to be made on the application side.

However, encryption comes with a performance overhead. According to documentation for the encryption feature, adding encryption drags down performance by approximately 10 percent.

Look out for the injections

The biggest word of warning: On-disk encryption really only protects against direct access of the files themselves -- that is, from someone at the service provider snooping on the disk. It can't guard against hacks levied via SQL injection -- a common mode of attack.

It's possible to protect individual columns or rows with MySQL's native encryption functions, allowing access to that data only to specific users or under special circumstances. But such security has to be implemented by the database developer and typically requires reworking existing client applications as well.

Third-party MySQL encryption solutions have been a staple of the market. Apart from Eperi, Penta Security Systems provides an add-on for MariaDB and MySQL called MyDiamo. Unlike the Google-donated solution, MyDiamo provides column-level encryption and one-way hashing, and the company claims its solution doesn't require modifying a client app.

Google has long been said to make use of MySQL/MariaDB internally, and it previously contributed code to the project from those efforts. The company donated various replication and instance-monitoring bits in 2007 for MySQL 7. Most recently, it unveiled Google Cloud SQL managed database service, though it was based on MySQL, not MariaDB, most likely for the broadest possible compatibility and support.

Copyright © 2015 IDG Communications, Inc.

How to choose a low-code development platform