Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

colinlongworth's avatar

Encryption at Rest with Forge - MySQL 8

I recently deployed a database server with MySQL 8 on Hetzner via Forge. However, I want to encrypt the database when at rest. Based on that, I've two questions:

  • Is there a way to specify enabling encryption deployment in Forge?
  • Are there any tutorials for retrospectively enabling encryption?
0 likes
1 reply
LaryAI's avatar
LaryAI
AI
1 year ago
Level 58

To address your questions about enabling encryption at rest for a MySQL 8 database deployed via Laravel Forge, here are some steps and considerations:

1. Enabling Encryption at Deployment with Forge

As of my knowledge cutoff in October 2023, Laravel Forge does not provide a direct option in its interface to enable encryption at rest for MySQL databases during deployment. However, you can manually configure MySQL to use encryption after the server is provisioned.

2. Retrospectively Enabling Encryption

To enable encryption at rest for an existing MySQL 8 database, you can follow these steps:

Step 1: Enable the InnoDB Encryption Feature

First, ensure that the innodb_file_per_table and innodb_encrypt_tables options are enabled in your MySQL configuration file (my.cnf or my.ini).

[mysqld]
innodb_file_per_table=ON
innodb_encrypt_tables=ON

Step 2: Set Up a Keyring Plugin

MySQL requires a keyring plugin to manage encryption keys. You can use the keyring_file plugin for simplicity. Add the following to your MySQL configuration file:

[mysqld]
early-plugin-load=keyring_file.so
keyring_file_data=/var/lib/mysql-keyring/keyring

Make sure the directory /var/lib/mysql-keyring/ exists and is writable by the MySQL user.

Step 3: Restart MySQL

After making changes to the configuration file, restart the MySQL service to apply the changes:

sudo systemctl restart mysql

Step 4: Encrypt Existing Tables

For existing tables, you need to alter them to enable encryption. You can do this with the following SQL command:

ALTER TABLE your_table_name ENCRYPTION='Y';

You can run this command for each table you wish to encrypt.

Step 5: Verify Encryption

To verify that encryption is enabled, you can check the INFORMATION_SCHEMA:

SELECT TABLE_SCHEMA, TABLE_NAME, CREATE_OPTIONS
FROM INFORMATION_SCHEMA.TABLES
WHERE CREATE_OPTIONS LIKE '%ENCRYPTION="Y"%';

Additional Considerations

  • Backups: Ensure that your backup strategy accounts for encryption. Encrypted data will remain encrypted in backups.
  • Performance: Encryption can have a performance impact. Monitor your database performance and adjust resources as necessary.
  • Compliance: Ensure that your encryption strategy complies with any relevant data protection regulations.

For more detailed guidance, you may want to refer to the official MySQL documentation on encryption or seek community tutorials specific to your hosting environment.

Please or to participate in this conversation.