Ubuntu has built in home folder encryption similar to OSX. I always turn on this feature on both OSs and have never experienced any perceptible performance hit. This guide shows one approach to migrating the MySQL data directory into the encrypted home folder on Ubuntu 14.04.
Caveats:
The only system user allowed to access the encrypted home folder is the user that owns that folder (eg your user). For this approach to work, MySQL must run under the same user that you login as. The service must be started after you login to the desktop. That can be automated by creating a script that gets triggered by the ‘Startup Applications’ program.
Configuration changes:
# stop mysql $ sudo service mysql stop # backup mysql data folder and config file $ sudo cp /var/lib/mysql /var/lib/mysql_backup $ sudo cp /etc/mysql/my.cnf /etc/mysql/my.cnf_backup # move mysql data folder $ sudo mv /var/lib/mysql /home/youruser/mysql # change ownership of folder $ sudo chown -R youruser /home/youruser/mysql # config changes to my.cnf $ sudo vi /etc/mysql/my.cnf
Changes to my.cnf:
- socket = /home/youruser/mysql/mysqld.sock (there will be multiples)
- pid-file = /home/youruser/mysql/mysql.pid
- user = youruser
- datadir = /home/youruser/mysql
- log_error = /home/youruser/mysql/mysql_error.log
# start mysql $ sudo service mysql start # test everything out... # when you are sure it is working $ sudo rm -rf /var/lib/mysql_backup
Why encrypt the MySQL data directory?
Computer equipment, particularly laptops, are stolen all the time. As a developer, your machine probably contains dozens of sensitive passwords, api keys, ssh keys and so forth. Most are probably dev accounts, but a few live passwords might be floating around too. For this reason I keep all my files in the encrypted home folder (as it is meant to be).
A potentially huge source of sensitive information are local databases on your machine. The degree to which a dev database should be locked down really depends on the nature of the business. Talk to your manager about it if you are unsure.
What I like about this solution is, since the entire data folder is encrypted, it works going forward automatically for any new databases. This technique is not unique to MySQL, all database platforms allow storing data in a user defined location.
Is Ubuntu’s encryption of the home folder bullet proof?
See the following links for more information:
http://www.linux-mag.com/id/7568/
http://security.stackexchange.com/questions/41368/is-encrpyting-home-sufficient
https://help.ubuntu.com/community/EncryptedHome
Nothing is likely to stop serious hackers or the NSA. However, putting sensitive data into the encrypted home folder is a reasonable precaution a professional should be expected take.
Saying –
“My laptop was stolen which contained all customer email addresses… *sorry*.”
Sounds MUCH worse than –
“My laptop was stolen and the data was encrypted with AES 128-bit encryption making it very very unlikely anybody, including computer experts, small nation states and powerful corporations will be able to access anything.”
What about using a cloud database for development?
Hosting your dev database in the cloud keeps sensitive data off your machine. This option is becoming increasingly affordable. Depending on latency to the cloud it can slow down day to day development work. If you do use cloud servers for development, make sure to connect over an encrypted connection! Otherwise everything that goes back and forth can be eavesdropped on. A VPN, SSH Tunnel, or MySQL SSL connection will do the trick.