1

I'm trying to encrypt my MySql database at rest. I have been looking at Truecrypt and EFS - I ultimately went with EFS because I can simply encrypt an existing folder without having to create a volume, etc etc.

However, I'm running into a problem when I encrypt my MySql data folder using EFS in that, upon encryption the MySql service will not start back up. Once I remove encryption/decrypt the MySql service will successfully start.

I am running Windows 2008 R2

I'm not quite sure why this is occurring or how to fix this, appreciate advice.

99823
  • 133
  • 4
  • Is the MySQL service running as the same user that encrypted the directory? – Ryan Ries May 21 '14 at 14:33
  • Hi Ryan - it is not - i just checked, mysql server is running as "Network Service" whereas "Administrator" encrypted the directory. Now is it safe to change the mysql service to run under the administrator account? – 99823 May 21 '14 at 14:34
  • 1
    I would not recommend that, as that would allow any exploits and bugs that affect MySQL to run as Administrator. I would make a separate service account for it. The thing with EFS is that it uses an X509 certificate/key pair to do the encrypting and decrypting, and that certificate is bound to a particular user account. – Ryan Ries May 21 '14 at 14:40
  • Interesting... should the user i create belong to the User group - would that be secure or is there a better group it would fit in? sorry i'm really dumb when it comes to user accounts/groups in windows. – 99823 May 21 '14 at 14:44
  • 1
    Yes, that would be a better fit. – MichelZ May 21 '14 at 14:49
  • Ryan - since you were the first to solve the problem I'd like to give you credit for the answer, can you post an answer so I can accept it? – 99823 May 21 '14 at 15:10

2 Answers2

1

At your request, 99823.

HopelessN00b, Genius of Network and Lord of All That Is I.T. seized the opportunity to post an answer, taking advantage of my indecisiveness!

Me: Is the MySQL service running as the same user that encrypted the directory?

You: Hi Ryan - it is not. Mysql server is running as "Network Service" whereas "Administrator" encrypted the directory. Now is it safe to change the mysql service to run under the administrator account?

Me: I would not recommend that, as that would allow any exploits and bugs that affect MySQL to run as Administrator. I would make a separate service account for it. The thing with EFS is that it uses an X509 certificate/key pair to do the encrypting and decrypting, and that certificate is bound to a particular user account.

Ryan Ries
  • 55,481
  • 10
  • 142
  • 199
0

Your problem is that the user account running MySQL is not the same account that encrypted the folder, so MySQL cannot access the folder. EFS uses an X509 certificate pair bound to a specific uer account for the encryption and decryption.

Your best bet, therefore, it to create a service account and use that account to both run MySQL and perform the EFS encryption on the folder. Best security practice indicates this account should be a limited account (normal user) to prevent any MySQL exploits from gaining Administrative rights on the machine.

HopelessN00b
  • 53,795
  • 33
  • 135
  • 209