MySQL & MariaDB Encryption

Baffle's Data Protection Services simplifies tokenization and encryption of data in MySQL without any application code changes and virtually no performance overhead.

Customers may struggle when trying to protect sensitive data in a MySQL or MariaDB database. Currently there are only two options for data at rest encryption at the MySQL database level: MariaDB 10.1.3+ support encryption (using Google patch) and InnoDB tablespace level encryption (available in MySQL 5.7.11+ with Percona Server 5.7.11).

There is no method available to tokenize or encrypt data at the field level in such a database, much less decrypt it as needed. Meanwhile, more MySQL data is being stored in cloud database platforms like AWS Aurora, which uses a very scalable and performant serverless implementation of MySQL.

Data security regulations such as HIPAA, PCI and other regulations has also increased the need for more robust options that are not available in the default MySQL server implementation.

Without data-centric protection at the field level, attackers can easily get access to data as evidenced by the continued onslaught of data breaches. Yet, implementing such security measures can be time consuming,costly and difficult to enable.

Baffle's Data Protection Services simplifies tokenization and encryption of data in MySQL and MariaDB without any application code changes and virtually no performance overhead. The solution includes dynamic key management and the ability to protect sensitive data in databases at a column-level granularity.

Invisible to the front-end application, Baffle sits underneath the SQL interface layer and enables organizations to use their own encryption keys to apply AES encryption to the data as it is interoperating with the database tier.

Customers have been incredibly impressed with the low to no performance overhead of Baffle's solution and the ease with which it integrates and supports cloud native services.

Baffle also supports headless deployments via Docker images.  If you’d prefer to deploy via a Docker image and get up and running quickly.  Please email [email protected].

Data Protection Services

Enterprises continue to battle cybersecurity threats such as ransomware, as well as breaches and losses of their data assets in public and private clouds. New data management restrictions and considerations on how it must be protected have changed how data is stored, retrieved and analyzed.

Baffle’s aim is to render data breaches and data losses irrelevant by assuming that breaches will happen. We provide a last line of defense by ensuring that unprotected data is never available to an attacker. Our data protection solutions protect data as soon as it is produced and keep it protected even while it is being processed.

Baffle's transparent data security mesh for both on-premises and cloud data offers several data protection modes. Capabilities include:

Protect data on the fly as it moves from a source data store to a cloud database or object storage, ensuring safe consumption of sensitive data by downstream applications


De-identify and tokenize data using Format Preserving Encryption (FPE) or deterministic encryption modes

Data-centric protection at the field or record level in data stores secures the actual data values

Simplified dynamic data masking plus role-based access control to control who can see what data. Irreversible static masking to devalue data for test/dev environments or production clones

No-code field or row-level encryption in Postgres, MySQL, Snowflake, Amazon Redshift, Microsoft SQL Server, Kafka, and more

Encrypt files and de-identify data in cloud data lakes to enable AI and privacy-preserving analytics

Provides an off-the-shelf BYOK service for SaaS vendors to support multiple customer-owned keys in multi-tenant environments

REST API Data Protection Services

Easily deploy tokenization and data protection service for virtually any application or data store

Define which systems, users or groups can access data stores and dynamically entitle who can see what data

Run AI and ML algorithms against encrypted data without ever decrypting the underlying values. Baffle DPS supports any mathematical operation on encrypted data in memory and in process

Multi-party data sharing without compromising privacy. Allow multiple parties to submit data with a HYOK model and allow aggregate analytics to execute on co-mingled data stores

Enable secure sharing of data across multiple parties without revealing private values to other participants

Schedule a live demo with one of our solutions experts to get answers to your questions