Want to encrypt sensitive data in certain database tables (in my case MariaDB). But there are questions:
1. How to store encryption keys, for example, in the files?
Ie it is clear that you can throw on the disc, but in the event of a compromise of access together with the base leaked key.
I think that is probably more correct before running database to connect to some remote network resource (folder), which is the key, start the database and after startup to unmount this share. Right thoughts?
2. Like in
the manual they write that you can use the AWS KMS, but it is also not clear as is the case with the access key intruders have access to the server. Or AWS KMS is some kind of protection on the number of requests for the key and/or a time limit? Sorry never worked with KMS.
3. How are things with replication of encrypted data? For the slave uses the same key as the master?
PS. It is about the standard encryption by the database itself, not using encryption in sql queries.