Knowledge BaseMetric InsightsSystem DatabaseEncrypting database data at rest in Metric Insights

Encrypting database data at rest in Metric Insights

QUESTION

 How the Metric Instance instance and the database elements are encrypted at rest? We are looking specifically at the backend data stores themselves.

ANSWER

MySQL does not provide an encryption mechanism by default for the physical db files in /var/lib/mysql. There is an option for it but the decryption key must lie in plaintext on the same server (low level security).

If encryption at rest is needed, you could use RDS encryption settings (unyour AWS cloud) but that's if you've moved the MI database off of EC2 to RDS to begin with.

Please reference to this doc: http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html

You could also potentially use AES block encryption using the command mi-crypto-mgr. However, this requires ecryptfs and will use a key on disk to encrypt the db files. This method is untested and most likely does not work on RedHat7/Centos7 because ecryptfs was deprecated.