How can encrypting the key increase security level in MariaDB data at rest encryption?

Question

I am following the instructions here to encrypt a database in MariaDB: https://mariadb.com/kb/en/mariadb/data-at-rest-encryption/

Obviously, it requires us to generate a key which will be used to encrypt the database. We can simply provide it with the key but it also allows us to further encrypt the key with a password like this:

openssl enc -aes-256-cbc -md sha1 -k secret -in keys.txt -out keys.enc

my.cnf
[mysqld]
file_key_management_encryption_algorithm=aes_cbc
file_key_management_filename = /home/mdb/keys.enc
file_key_management_filekey = secret

But how can encrypting the key further increase security level? Imagine the case in which the hard disk drive is stolen, how can encrypting the key make it more difficult for the attacker to decrypt the database data?

score 2 · Answer 1 · answered Feb 18 '17 at 21:22

Encrypting the key only makes sense if the passphrase for the key is not stored on the server. It's completely pointless to keep the key and ciphertext co-located.

If you're able to manually enter the key on boot or have the system fetch and store it in RAM using something like Hashicorp's Vault, then sure, there's some added security.

How can encrypting the key increase security level in MariaDB data at rest encryption?

1 Answers1