Looks to me like there are set of encryption files that are read at startup by some kind of utility that comes with Maria. Perl wouldn't have a role in that part. If you configure the DB to encrypt all files, looks like the DBI wouldn't know or care about that. However the default is to decide encryption on a table by table basis with some additional parms to CREATE TABLE or ALTER. Something like: CREATE TABLE T (id int, value varchar(255)) ENCRYPTED=YES ENCRYPTION_KEY_ID=17;. Whether or not these extra SQL parms work with the current DBI, I don't know. Sorry that I can't help further. It was an interesting question and I learned a bit of new stuff.
update: Oh, you need MariaDB 10.1.4. Looks like once tables are created, this is pretty much transparent to the user except for a 3-5% performance hit, which is less than I would have thought. you write "My limited understanding is that you provide certain credentials (keyfile) at login", it appears that the key file is read by the DB when it starts, not supplied dynamically on a per login or connection basis. This at rest encryption just ensures that as long as you keep the keyfile and dbfile separate (presumably on different HD's or computers), even having the dbfile gets you nowhere. There is no protection from SQL injection attacks or unauthorized users. This protects against somebody who has access to the file system and could make a copy of the dbfile.
In reply to Re^3: DBD::mysql to MariaDB with at rest encryption
by Marshall
in thread DBD::mysql to MariaDB with at rest encryption
by gwhite
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |