MariaDB's encryption plugins provide transparent data encryption (TDE) for stored data, securing tablespaces and logs to protect sensitive information and meet compliance.
The AWS KMS Encryption Plugin (aws_key_management) integrates with Amazon Web Services (AWS) KMS.
The AWS KMS Encryption Plugin (aws_key_management) allows you to:
Use AWS KMS to manage MariaDB's encryption keys.
Encrypt MariaDB data using those keys, including:
Rotate encryption keys.
Additional information is available here.
This page is: Copyright © 2025 MariaDB. All rights reserved.
MariaDB Enterprise Server and MariaDB Community Server support data-at-rest encryption, which secures data on the file system. The server and storage engines encrypt data before writing and decrypt during reads, ensuring that the data is only unencrypted when accessed directly through the server.
They support multiple encryption plugins, which are suited for different use cases.
• It integrates with HashiCorp Vault • It supports key rotation • It securely communicates with the remote KMS using TLS.
• It integrates with AWS KMS. • It supports key rotation. • It must be compiled from source.
• stores encryption keys in a local plain-text key file. • The plain-text key file can be encrypted. • It does not support key rotation.
Supported by MariaDB Enterprise Server
Yes
Yes
Yes
Supported by MariaDB Community Server
No
Yes
Yes
Supports key rotation
Yes
Yes
No
This page is: Copyright © 2025 MariaDB. All rights reserved.