Enable innodb encryption and compression

README.md

@@ -38,6 +38,15 @@ Note that debian also has an onion service package archive, so you may want to e
 deb tor://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian `lsb_release -cs` main
 ```
 
+Create encryption keys for mariadb
+```
+mkdir -p /etc/mysql/encryption/
+echo "1;"$(openssl rand -hex 32) > /etc/mysql/encryption/keyfile
+openssl rand -hex 128 > /etc/mysql/encryption/keyfile.key
+openssl enc -aes-256-cbc -md sha1 -pass file:/etc/mysql/encryption/keyfile.key -in /etc/mysql/encryption/keyfile -out /etc/mysql/encryption/keyfile.enc
+rm /etc/mysql/encryption/keyfile
+```
+
 Copy (and modify according to your needs) the site files in `var/www` to `/var/www`, `usr/local` to `/usr/local`  and the configuration files in `etc` to `/etc` after installation has finished. Then restart some services:
 ```
 systemctl daemon-reload && systemctl restart bind9.service && systemctl restart tor@default.service

etc/mysql/mariadb.conf.d/manual_settings.cnf

@@ -25,3 +25,20 @@ aria_sort_buffer_size = 8M
 open_files_limit = 100000
 bind_address = 127.0.0.1
 sql_mode=ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION
+plugin_load_add = file_key_management
+loose_file_key_management_filename = /etc/mysql/encryption/keyfile.enc
+loose_file_key_management_filekey = FILE:/etc/mysql/encryption/keyfile.key
+loose_file_key_management_encryption_algorithm = AES_CTR
+innodb_encrypt_tables = FORCE
+innodb_encrypt_temporary_tables = ON
+innodb_encrypt_log = ON
+encrypt_tmp_files = ON
+encrypt_tmp_disk_tables = ON
+enforce_storage_engine = InnoDB
+encrypt_binlog=ON
+innodb_compression_default=ON
+innodb_compression_algorithm=zlib
+innodb_rollback_on_timeout=1
+innodb_lock_wait_timeout=5
+binlog_row_image = minimal
+binlog_format = ROW