Providing transparent data encryption at scale, with high usability and low TCO has been a challenge with legacy databases, and still remains a challenge with the new modern databases. Reason being: Key management and HSM solutions were not designed to meet the scale and performance of large-scale deployments of databases. And they did not change or evolve in many years.
The frustrating bottom line is that the number of databases and the volumes of data grow at a much faster pace than the innovation in data encryption.
Fortanix Data Security Manager™ (DSM), was designed to meet these exact requirements: Scale, performance, breadth and depth of features, and most of all – operational flexibility. Incorporating key management, HSM, tokenization and secrets management in one enterprise encryption platform, DSM can run in the cloud, on-premises, in hybrid environments and can also be delivered as SaaS and managed service. DSM leverages Intel SGX® processors to securely store the keys inside HSM, making it the most secure encryption solution for any database.
Presently, DSM is the only solution backed by hardware for encryption of data-at-rest in MariaDB.
Ease of use
Fined Grained Control
Key Lifecycle Management
Fortanix DSM for MariaDB database encryption
Following MariaDB’s best practices, Fortanix created a plugin that integrates with DSM to generate and manage the AES keys required to encrypt the data on MariaDB. The plugin generates and manages the encryption keys and carries out the actual encryption and decryption of the data. It seamlessly supports the use of multiple encryption keys, which are stored securely in DSM, with hardware-level encryption. To encrypt new data or decrypt existing data in the database, the database, the key meta-data is used to fetch the key from DSM when needed, assuring the keys are never exposed when not in use.
Technical details and user-guide about Data-at-Rest encryption in MariaDB using Fortanix DSM.
About Fortanix Data Security Manager (DSM)
- The next-generation cryptographic services platform, offering key generation, management, distribution, encryption-as-a-service, secrets management, tokenization and HSM — all delivered as a single product.
- Available in multiple deployment modes: SaaS, dedicated-tenant, managed tenant and self-hosted service.
- DSM’ SGX hardware is FIPS 140-2 level 3 certified.
- Offers simple central management, server-side load balancing, central tamper-proof logging, RESTful APIs, Confidential Computing plugin to run custom code and wide integration with leading public clouds, databases, and other solutions.