We are migrating our system to a cloud environment (AWS), and have been given new client requirements for having our MySQL data-at-rest encrypted.
Currently it is unclear how far this should go. It would be very simple to enable disk encryption, however it is being argued internally that this actually only mitigates against disks being stolen (physically or otherwise) but not against server breaches.
It seems there is only limited options to implement DB layer encryption with MySQL (or more accurately, it's drop in replacements like MariaDB or Percona) and there is some flaws with it currently (such as binlogs and caches are not encrypted). Also, app layer encryption would be a massive overhead as the vast majority of queries search on fields that are considered sensitive, and thus will need to be encrypted.
What is the current accepted approach to encrypting sensitive data on a MySQL database in a cloud environment? Please note this is not referring to RDS.
Best Answer
Encryption at rest can't address server breaches, it is only intended to mitigate cases of
MariaDB encryption wouldn't be able effectively deal with either, because stealing the drives would effectively provide root access to the system, including access to the encryption keys and complete unrestricted access to the database. This is also the case with cloud technicians, who can access backup copies of the system or peer into the filesystem by analysing the underlying datastore. MariaDB encryption can minimise the risk of intrusion, however in order to access the drive or mysql files, the attacker would have to have either root or at least mysql user privileges, and would access not only the files but also the encryption keys in that case.
A good way to ensure encryption at rest is using dm-crypt (or equivalent) to have the OS encrypting the partition where the database files are located, and entering the password manually by an authorised operator at system or RDBMS startup time (i.e. no keys stored in the system at all). This system is not particularly effective against server breaches, but it makes the data completely secure in case of physical storage theft, or access to system backups or underlying datastores.