Why MySQL Internal Encryption Functions are Not Sufficient

Home / open source DBMS / MariaDB Encryption / Why MySQL Internal Encryption Functions are Not Sufficient

DBMS Internal Encryption Functions vs. Professional DB Encryption Solutions

When we apply encryption to the database, we can choose from the following two options. One option is to apply encryption packages which are provided by the DBMS internally, and the other option is to apply database encryption via solutions provided by a professional database encryption enterprise. DBMS by Oracle and Microsoft provides an internal encryption package called TDE (Transparent Data Encryption), and MySQL also provides internal encryption functions and compression functions.

By applying database encryption by using an internal encryption package provided by the DBMS, it could be convenient for the user to apply. However not only is convenience important when considering database encryption, but also actual the protection of the personal information. It is the common opinion of security professionals that encryption functions provided only by the DBMS are insufficient for safe protection of personal information. This is no exception for MySQL internal encryption functions.

Why MySQL Internal Encryption Functions are not Sufficient

1. MySQL Internal Encryption Algorithms are not Safe

MySQL provides many algorithms such as AES, DES, SHA-1 and MD5 algorithms. Among these algorithms, MD5 and SHA-1 are proven to be not safe as they have been cracked. Also, for AES algorithms, the current MySQL 5.6 version generally available provides only the ECB operation mode which is also proven to be unsafe.

2. MySQL Internal Encryption Functions does not Provide Key Management

When encrypting data, not only is the encryption itself important, but also managing key is important. The importance of the key cannot be stressed strongly enough when encryption matters. Most encryption solutions however do not pay much attention to the key. When using MySQL internal encryption functions, the key is exposed to the source, thus no proper key management exists.

Here is an example of a source code:

INSERT into userc (name, town) VALUES ('john',AES_ENCRYPT('nebraska', 'usa2010'));
SELECT CAST(AES_DECRYPT(town, 'usa2010') AS CHAR(50)) town_decrypt from userc;

You can see that the key ‘usa2010’ is exposed in the command.

3. Access Control of Users is Difficult

For proper access control of personal information the IP address, MAC address, and access time should be controlled. By applying MySQL internal encryption functions only, it is hard to provide proper access control.

4. With MySQL Internal Encryption Functions, Query Modifications are Needed

You might think that it is easy to apply encryption with MySQL internal encryption functions. But in practice, you must modify the application excessively to implement encryption by this method. This is because query modification is needed in internal encryption functions of MySQL. In other words, the encryption function must be inserted into the query so that the data could be encrypted when it goes into the storage engine. Applying query modification can be a great burden in the implementation to the DB encryption system.

What MyDiamo Provides

1. MyDiamo Provides Column-Level EncryptionUsing Trusted Standard Encryption Algorithms

MyDiamo provides only safe and trusted standard encryption algorithms and operation modes. Also, users can choose which algorithm or operation mode to use according to their needs. The following is the encryption algorithms and operation modes supported by MyDiamo:

  • Supported encryption algorithms: AES (128bit), TDES (168bit), Blowfish (128bit), RC4
  • Supported operation modes: CBC, CFB, CFB_BYTE, RC4

2. MyDiamo Provides Safe Key Management

MyDiamo provides key management by its key manager program. It is no use encrypting the data unless the key is safe; therefore MyDiamo solves this problem by implementing proper hierarchical key management.

mydiamo_key_manager mydiamo_key_hierarchy
<Fig 1. MyDiamo key manager> <Fig 2. MyDiamo key hierarchy>

3. MyDiamo Provides Access Control and Auditing Functions

To protect the data safely, access control and audit functions for monitoring users that work with encrypted columns is necessary. MyDiamo provides the following functions:

  • Access control for encrypted columns (Per each IP Address & DB User)
  • Audit log for encrypted columns
  • Security policy backup & restore

4. MyDiamo Doesn’t Require Query Modifications

MyDiamo uses engine-level encryption method. This means that MyDiamo operates parallel to the DBMS engine.

diagram shows engine-level-encryption in the DBMS process

<Fig 3. Engine-level encryption>

When the query is sent to storage engine, it goes through the MyDiamo encryption engine. If the query is related to a column that is set to be encrypted, the encryption engine automatically encrypts the data when it goes into the storage engine and decrypts the data when it comes out. This way query doesn’t need to be modified. Thus, it is relatively easy to implement MyDiamo for DB encryption.


As mentioned above, MySQL internal encryption functions are not sufficient enough to apply proper security for database encryption. Not only encryption, but access control, key management, and auditing functions should also be implemented for secure DB encryption. MySQL internal encryption functions may seem convenient to apply but for proper data protection, a professional database encryption solution is needed—and MyDiamo can provide you with just that.

Comprehensive encryption security for open source databases. We provide transparent and column-level encryption, key management, and access control and auditing for MySQL, MariaDB, and PerconaDB.
Related Posts