Steps to configure in-transit encryption for MariaDB

Leave a reply

To configure in-transit encryption for MariaDB, you use SSL/TLS to encrypt communication between the MariaDB server and its clients. Here’s a step-by-step guide:

1. Prerequisites

  • MariaDB version: TLS encryption is supported starting from MariaDB 5.5. For enhanced security, use MariaDB 10.2 or higher.
  • SSL/TLS Certificate: You need server-side certificates. These can be:
    • Self-signed certificates (for testing).
    • Certificates issued by a trusted Certificate Authority (CA) for production environments.

2. Generate SSL/TLS Certificates

Option 1: Self-Signed Certificate

  1. Generate a private key and certificate authority (CA) certificate:
openssl genrsa 2048 > ca-key.pem
openssl req -new -x509 -nodes -days 365 -key ca-key.pem -out ca-cert.pem

2. Generate a server key and certificate:

openssl genrsa 2048 > server-key.pem
openssl req -new -key server-key.pem -out server-req.pem
openssl x509 -req -in server-req.pem -days 365 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem

3. Generate a client key and certificate:

openssl genrsa 2048 > client-key.pem
openssl req -new -key client-key.pem -out client-req.pem
openssl x509 -req -in client-req.pem -days 365 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem

3. Configure the MariaDB Server

  1. Copy Certificates to a Secure Location: Place the generated certificates in a secure directory (e.g., /etc/mysql/ssl).Example:
sudo mkdir -p /etc/mysql/ssl
sudo cp {ca-cert.pem,server-cert.pem,server-key.pem} /etc/mysql/ssl/
sudo chmod 600 /etc/mysql/ssl/*.pem

2. Edit the MariaDB Configuration File (my.cnf): Add the following under the [mysqld] section:

[mysqld]
ssl-ca=/etc/mysql/ssl/ca-cert.pem
ssl-cert=/etc/mysql/ssl/server-cert.pem
ssl-key=/etc/mysql/ssl/server-key.pem

3. Restart MariaDB:

sudo systemctl restart mariadb

4. Verify SSL is Enabled: Log into MariaDB and check:

SHOW VARIABLES LIKE '%ssl%';

Look for:

  • have_ssl = YES
  • ssl_ca, ssl_cert, ssl_key showing the correct paths.

4. Configure MariaDB Clients

  1. Install the Client Certificate: Copy ca-cert.pem, client-cert.pem, and client-key.pem to the client machine (e.g., /etc/mysql/ssl/).
  2. Modify the Client Configuration (my.cnf): Add the following under [client]:
[client]
ssl-ca=/etc/mysql/ssl/ca-cert.pem
ssl-cert=/etc/mysql/ssl/client-cert.pem
ssl-key=/etc/mysql/ssl/client-key.pem

3. Force SSL Connections (Optional): Connect to MariaDB and require SSL for specific users:

ALTER USER 'your_user'@'%' REQUIRE SSL;

4. Connect with SSL: Use the --ssl flag when connecting:

mysql -u your_user -p --ssl

5. Test the Configuration

  1. Check Client SSL Status: After connecting, run:
SHOW STATUS LIKE 'Ssl_%';

Key fields to check:

  • Ssl_cipher: Should show an active cipher (e.g., TLS_AES_256_GCM_SHA384).
  • Ssl_version: Should show the TLS version used (e.g., TLSv1.3).

2. Capture Network Traffic: Use a tool like Wireshark to ensure data between client and server is encrypted.

6. Enforce Secure Connections

To ensure all connections use encryption:

  1. Update my.cnf:
[mysqld]
require_secure_transport=ON

2. Restart MariaDB:

sudo systemctl restart mariadb

With require_secure_transport=ON, only encrypted connections will be allowed.

Additional Notes

  • Always use certificates from a trusted CA in production environments.
  • If using self-signed certificates in production, distribute the ca-cert.pem securely to all clients.
  • Keep your MariaDB server and OpenSSL libraries up-to-date to avoid vulnerabilities.

Leave a Reply