This is a read-only copy of the MariaDB Knowledgebase generated on 2025-05-07. For the latest, interactive version please visit https://mariadb.com/kb/.

Created: 3 months ago
Modified: 1 day, 16 hours ago
Type: article
Status: active
License: Copyright © 2025 MariaDB

Attachments

No attachments exist

Choosing an Encryption Plugin

Overview

Overview

MariaDB Enterprise Server and MariaDB Community Server support data-at-rest encryption, which secures data on the file system. The server and storage engines encrypt data before writing and decrypt during reads, ensuring that the data is only unencrypted when accessed directly through the server.

They support multiple encryption plugins, which are suited for different use cases.

Encryption Plugin	Description
HashiCorp Vault	• It integrates with HashiCorp Vault • It supports key rotation • It securely communicates with the remote KMS using TLS.
Amazon Web Services (AWS) KMS	• It integrates with AWS KMS. • It supports key rotation. • It must be compiled from source.
File Key Management	• stores encryption keys in a local plain-text key file. • The plain-text key file can be encrypted. • It does not support key rotation.

Feature	HashiCorp Vault	Amazon Web Services (AWS) KMS	File Key Management\
Supported by MariaDB Enterprise Server	Yes	Yes	Yes
Supported by MariaDB Community Server	No	Yes	Yes
Supports key rotation	Yes	Yes	No

Content reproduced on this site is the property of its respective owners, and this content is not reviewed in advance by MariaDB. The views, information and opinions expressed by this content do not necessarily represent those of MariaDB or any other party.

↑ Encryption Plugins ↑
Understanding the Amazon Web Services (AWS) KMS Encryption Plugin
Choosing an Encryption Plugin

Choosing an Encryption Plugin

Contents

Overview

Products

Solutions

Resources

Company

Pricing

Download MariaDB