From c0ecb222d2371463e0edbbba83e4672c6d10576b Mon Sep 17 00:00:00 2001
From: Daniel Winzen <daniel@danwin1210.me>
Date: Wed, 1 Dec 2021 00:28:38 +0100
Subject: [PATCH] Enable innodb encryption and compression

---
 README.md                                    |  9 +++++++++
 etc/mysql/mariadb.conf.d/manual_settings.cnf | 17 +++++++++++++++++
 2 files changed, 26 insertions(+)

diff --git a/README.md b/README.md
index a052dfe..ec8489c 100644
--- a/README.md
+++ b/README.md
@@ -38,6 +38,15 @@ Note that debian also has an onion service package archive, so you may want to e
 deb tor://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian `lsb_release -cs` main
 ```
 
+Create encryption keys for mariadb
+```
+mkdir -p /etc/mysql/encryption/
+echo "1;"$(openssl rand -hex 32) > /etc/mysql/encryption/keyfile
+openssl rand -hex 128 > /etc/mysql/encryption/keyfile.key
+openssl enc -aes-256-cbc -md sha1 -pass file:/etc/mysql/encryption/keyfile.key -in /etc/mysql/encryption/keyfile -out /etc/mysql/encryption/keyfile.enc
+rm /etc/mysql/encryption/keyfile
+```
+
 Copy (and modify according to your needs) the site files in `var/www` to `/var/www`, `usr/local` to `/usr/local`  and the configuration files in `etc` to `/etc` after installation has finished. Then restart some services:
 ```
 systemctl daemon-reload && systemctl restart bind9.service && systemctl restart tor@default.service
diff --git a/etc/mysql/mariadb.conf.d/manual_settings.cnf b/etc/mysql/mariadb.conf.d/manual_settings.cnf
index 22a628f..fe3a67d 100644
--- a/etc/mysql/mariadb.conf.d/manual_settings.cnf
+++ b/etc/mysql/mariadb.conf.d/manual_settings.cnf
@@ -25,3 +25,20 @@ aria_sort_buffer_size = 8M
 open_files_limit = 100000
 bind_address = 127.0.0.1
 sql_mode=ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION
+plugin_load_add = file_key_management
+loose_file_key_management_filename = /etc/mysql/encryption/keyfile.enc
+loose_file_key_management_filekey = FILE:/etc/mysql/encryption/keyfile.key
+loose_file_key_management_encryption_algorithm = AES_CTR
+innodb_encrypt_tables = FORCE
+innodb_encrypt_temporary_tables = ON
+innodb_encrypt_log = ON
+encrypt_tmp_files = ON
+encrypt_tmp_disk_tables = ON
+enforce_storage_engine = InnoDB
+encrypt_binlog=ON
+innodb_compression_default=ON
+innodb_compression_algorithm=zlib
+innodb_rollback_on_timeout=1
+innodb_lock_wait_timeout=5
+binlog_row_image = minimal
+binlog_format = ROW