MySQL

MySQL Encryption at Rest and in Transit: InnoDB, TLS, and Binary Log Encryption

Encrypt MySQL data at rest with InnoDB tablespace encryption and in transit with TLS. Covers keyring plugin, require_secure_transport, and binary log encryption.

JusDB Team
April 7, 2025
5 min read
164 views
Security
InnoDB
MySQL

Encrypting MySQL data at rest and in transit protects against storage theft and network interception. This guide covers InnoDB tablespace encryption, TLS setup, and binary log encryption.

Encryption at Rest: InnoDB Tablespace Encryption

sql 
-- Enable keyring plugin (MySQL 8.0+)
-- Add to my.cnf:
-- early-plugin-load=keyring_file.so
-- keyring_file_data=/var/lib/mysql-keyring/keyring

-- Encrypt a table
CREATE TABLE sensitive_data (
  id INT PRIMARY KEY,
  payload TEXT
) ENCRYPTION='Y';

-- Encrypt existing table (online DDL)
ALTER TABLE existing_table ENCRYPTION='Y';

-- Check encryption status
SELECT name, encryption
FROM information_schema.innodb_tablespaces
WHERE encryption = 'Y';

Encrypt the MySQL System Tablespace

ini 
[mysqld]
innodb_encrypt_tables = ON
innodb_encrypt_log = ON
default_table_encryption = ON

TLS for Client Connections

bash 
# Generate CA and server certs
mysql_ssl_rsa_setup --datadir=/var/lib/mysql

# This creates: ca.pem, server-cert.pem, server-key.pem, client-cert.pem, client-key.pem
ini 
[mysqld]
ssl_ca   = /var/lib/mysql/ca.pem
ssl_cert = /var/lib/mysql/server-cert.pem
ssl_key  = /var/lib/mysql/server-key.pem
require_secure_transport = ON
sql 
-- Require TLS per user
ALTER USER 'app_user'@'%' REQUIRE SSL;

-- Or require specific cipher
ALTER USER 'app_user'@'%' REQUIRE CIPHER 'ECDHE-RSA-AES256-GCM-SHA384';

-- Verify TLS is active on a connection
SHOW STATUS LIKE 'Ssl_cipher';

Binary Log Encryption

ini 
[mysqld]
binlog_encryption = ON
-- Requires keyring plugin to be loaded

Encrypt Data in MySQL with AES_ENCRYPT

sql 
-- Application-level encryption for specific columns
SET @key = SHA2('my-secret-key', 256);

INSERT INTO users (email, ssn_encrypted)
VALUES ('user@example.com', AES_ENCRYPT('123-45-6789', @key));

SELECT AES_DECRYPT(ssn_encrypted, @key) AS ssn
FROM users WHERE email = 'user@example.com';

Key Takeaways

  • Enable InnoDB tablespace encryption with the keyring plugin for at-rest protection
  • Set require_secure_transport = ON to reject unencrypted connections
  • Encrypt binary logs when they contain sensitive data
  • Use application-level AES_ENCRYPT for column-level sensitivity, but manage keys externally

JusDB Can Help

Database encryption must be layered across storage, transport, and application. JusDB security engineers can audit and harden your MySQL deployment.

Share this article

JusDB Team

Official JusDB content team

Need Expert Help?

Need expert help? Our specialists can assist with these related services:

MySQL Performance Tuning

5-15× query speedup via Performance Schema, EXPLAIN ANALYZE, InnoDB buffer pool sizing, slow-query analysis

Learn more

MySQL Consulting

Schema design, InnoDB Cluster, ProxySQL routing, 8.0 → 8.4 upgrades — 1000+ instances managed

Learn more

MySQL Migration

MySQL 5.7 → 8.0/8.4 upgrades, Oracle/MSSQL/PostgreSQL → MySQL, zero-downtime AWS RDS/Aurora cutover

Learn more

MySQL High Availability

InnoDB Cluster, Group Replication, Orchestrator failover, MHA, 99.99% uptime

Learn more

MySQL on Kubernetes

Oracle MySQL Operator, Percona Operator, StatefulSet design for InnoDB Cluster on K8s

Learn more

MySQL Support

24/7 production support: replication breaks, deadlocks, buffer-pool sizing, 15-min Sev-1 SLA

Learn more
Explore all our database services

Related Articles

MySQL Explained (2026): InnoDB, 8.4 LTS, Replication & Production Patterns

May 13, 2026

MySQL wait_timeout, net_read_timeout & All Timeout Variables (2026 Production Guide)

May 9, 2026

MySQL binlog Retention, Rotation & Purge: Production Guide (2026)

May 9, 2026