How Google encryption is helping tighten MariaDB security

The release candidate of MariaDB 10.1 is out today, bringing built-in encryption donated by Google to the MySQL database fork.
Written by Toby Wolpe, Contributor
Product vice president Roger Levy: Encryption and password management get you an awful lot.
Image: MariaDB Corp

Database encryption software developed by Google today makes its entrance in the latest release of MySQL fork MariaDB.

The release candidate of MariaDB Server 10.1, due for general availability in early October, features full built-in encryption for all data in tables, as well as for log files and temporary information.

Search-to-advertising giant Google has given the MariaDB open-source community the encryption technology it created for its own internal purposes, which includes extensive use of the database.

As well as the boost to security brought by native encryption, the 10.1 release candidate also offers new password management features, better roles-based access control, together with performance and replication improvements and enhanced availability through Galera Cluster integration.

"People spend lots and lots of time on lots of different security aspects. But encryption and password management get you an awful lot," MariaDB Corp product vice president Roger Levy said.

"When you look at many exploits, yes, in some cases they find flaws in the software that they're able to exploit. But in so many cases what people find is an easy password someplace, a sysadmin or a root password that lets them come in and take over. So the other thing that we've really focused on is really going and hardening the password process."

MariaDB is the community-developed branch of Oracle's open-source MySQL database, acquired for $1bn by Sun Microsystems, which in turn was bought by Oracle for $7.4bn in 2010.

By then, some of the database's original creators had already left to create MariaDB. Last October, commercial MariaDB company SkySQL announced it was changing its name to MariaDB Corp.

According to Levy, having the Google encryption built into MariaDB makes it transparent to the application and offers a number of advantages over gateways that sit between apps and the database or file-system encryption schemes.

"They certainly also are options but they have their disadvantages. They're yet another system to administer, another system to pay for. Any time you add another element, even if it's a security element, it also unfortunately introduces additional security vulnerabilities. You have to keep the software patched and other things," he said.

"MariaDB uses an external key-management system, so the key is not stored as part of the database, which adds additional security. It enforces key rotation, so you have to use a new key at certain time intervals. That's just best practice overall."

For more rigorous password management, 10.1 features a password-validation plugin and password improvements to servers, allowing password-expiration dates to be set, and the locking of passwords after failed attempts.

The integration of Galera Cluster directly into the MariaDB Server binary is designed to make it simpler to deploy the synchronous, multi-master database clustering software, which offers real replication, giving higher availability than that provided single instances or traditional failover.

It is used for applications that involve lots of updates to the database - for example, in online gaming. In the case of a failure, Galera manages the process of keeping the system up and online, even if parts of the database infrastructure go offline.

"That's a technology that we have offered a long time commercially through our MariaDB Cluster offering but within the 10.1 release we integrated the code directly in. It just drives forwards ease of use and keeping things simple for people to be able to quickly use Galera Cluster and not have to set it up separately and then bring the two pieces together," Levy said.

"In addition to Galera Cluster, there are a number of small and very specific technical enhancements designed to improve performance - many small enhancement to the InnoDB engine that just drives greater levels of performance, and other things around interoperability."

These features include giving the Connect storage engine, which allows mapping back and forth between relational database data structures and other data structures, support for JSON and BSON documents, enabling a JSON document to be mapped into a MariaDB relational table.

More on MariaDB

Editorial standards