this post was submitted on 14 Sep 2025
24 points (92.9% liked)
Sysadmin
11452 readers
14 users here now
A community dedicated to the profession of IT Systems Administration
No generic Lemmy issue posts please! Posts about Lemmy belong in one of these communities:
!lemmy@lemmy.ml
!lemmyworld@lemmy.world
!lemmy_support@lemmy.ml
!support@lemmy.world
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Connection encryption is pretty low on the list of priorities for database security. Proper accounts and rights management is far more important.
SQL traffic shouldn't really run over anything but short LAN links. Ideally separated from other stuff entirely, but just not spewed over your whole LAN, and really not over the Internet at all.
TLS is good, yes, but unless you're also validating those certs they don't mean much. Client certs would be even better.
Some compliance measures (PCI DSS 4, HIPAA) mandate encryption in transit and none penalize it, so making any of that easier and less error-prone seems like a step in the right direction.
TLS is good *only' if you are also validating those certs. And that is what MariaDB 11.8 is now doing.
The cloud, and any form of managed database, inverts this. User accounts are extremely easy, as they are automatically provisioned with secrets you can easily rotate, along with the database itself. There is less of a worry about user rights as well, as you can dedicate one "instance" of a database to certain types of data, instead of having more than one database within one instance.
And then, traffic is commonly going to be routed through untrusted networks, hence the desire for encryption in transit.