When communicating between database client and database server it is possible to encrypt the contents of the messages. This makes it possible to securely pass sensitive data over the network. It also ensures that messages are not manipulated by someone else as the messages are transferred over the network.
The encryption uses AES-GCM (Advanced Encryption Standard - Galois/Counter Mode). This is an authenticated encryption algorithm designed to provide both data authenticity (integrity) and confidentiality. This means that the data is protected from eavesdroppers, and that any tampering with the data is detected.
Each session will have its unique session key. The keys are not reused, so two encrypted sessions with the same content appear completely different.
The following options are supported:
- None. No network encryption is used. This is primarily used over non-public networks where the network infrastructure is protected.
- AES-GCM, optional. In this mode all clients are accepted. Newer clients with support for encryption use encryption, while older clients will communicate without encryption.
- AES-GCM, required. In this mode all network connections are encrypted. Clients that do not support encryption are rejected at login with error code -18531.