Encryption at rest #MySQL, before and after


If you don’t encrypt data at rest in MySQL, then potentially secure information can be easily extracted from the underlying “ibd” files. This scenario may occur, if someone had access to the filesystem of your server, but not necessarily access to MySQL itself.
Here, I’ve simply created a new database, called “superSecure”, with one table called “Passwords”, which has one column called “Password”, and one row containing the text “YELLOW_SUBMARINE”, by running a simple “cat” commad on the ibd file, you can clearly see the text “YELLOW_SUBMARINE” in the text.
However, with these commands, we can encrypt the underlying data;
INSTALL PLUGIN keyring_file SONAME 'keyring_file.so';
SET GLOBAL keyring_file_data = '/var/lib/mysql-keyring/keyring';
ALTER TABLE PASSWORDS ENCRYPTION='Y';
Once these commands are complete; and we try to view the ibd file again,

There is no plain text that can be viewed in the file.
Evidently, this is not foolproof, but it’s one simple way to help secure your data.