Some users would like to have internal details of MariaDB's data-at-rest encryption documented. For example:

InnoDB

• When is InnoDB data encrypted? Is a page encrypted when it is flushed to disk?

Answer:

InnoDB pages are encrypted when they are written to disk.

• When is InnoDB data decrypted? Is a page decrypted when it is read into the buffer pool? If so, are all of the pages in the buffer pool always in their decrypted form?

Answer:

InnoDB pages are decrypted when they read from disk and before they are put into the buffer pool. Page will be in its decrypted form in memory as long as it is in the buffer pool and that page could contain columns, rows and even tables that queries do not even use.

Aria

Information about Aria is still needed. That information might have to come from serg or monty.

• When is Aria data encrypted?

• When is Aria data decrypted?

Binary Logs and Relay Logs

• When is an event encrypted?

Events are encrypted when they are written to the IO_CACHE, regardless of whether the IO_CACHE is in memory or on disk (whether it is in memory or on disk depends on the transaction size and the values of binlog_cache_size/binlog_stmt_cache_size). This means that events are encrypted even before they are written to the physical binary log or relay log file.

• When is an event decrypted?

Events are decrypted as they are read if a START_ENCRYPTION_EVENT is encountered in the binary log or relay log. In encrypted binary logs *and* relay logs, this START_ENCRYPTION_EVENT is the second event in the log file, right after the FORMAT_DESCRIPTION_EVENT.