Encryption
- Encryption on MediaWiki Servers
This article details the encryption configurations available and recommended for MediaWiki servers. Proper encryption is crucial for protecting sensitive data, including user credentials, edit history, and content itself. This guide is aimed at system administrators and server engineers responsible for maintaining a secure MediaWiki installation.
Overview
Encryption on a MediaWiki server covers several layers: data in transit (connections between users and the server), data at rest (data stored on the server’s disks), and database encryption. Each layer requires different configuration and tools. We will cover each aspect in detail below, focusing on best practices for a secure deployment. It is highly recommended to review our Security best practices page before implementing any of these configurations.
Data in Transit: TLS/SSL Configuration
Protecting data while it's being transmitted between users and the MediaWiki server is paramount. This is achieved through Transport Layer Security (TLS), formerly known as Secure Sockets Layer (SSL).
Here's a breakdown of typical TLS/SSL configurations:
| Parameter | Value |
|---|---|
| Protocol | TLS 1.3 (recommended), TLS 1.2 (minimum) |
| Cipher Suites | ECDHE-RSA-AES256-GCM-SHA384, ECDHE-RSA-AES128-GCM-SHA256 |
| Certificate Authority | Let's Encrypt (recommended), DigiCert, Sectigo |
| Certificate Type | Domain Validated (DV), Organization Validated (OV), Extended Validation (EV) |
It is *strongly* advised to use Let's Encrypt for obtaining free, automatically-renewing TLS certificates. Configuration typically involves using tools like `certbot` with your web server (Apache or Nginx). See our Web Server Configuration page for more details. Always force HTTPS redirection to prevent unencrypted connections. This can be configured in your web server’s virtual host settings. Regularly check your SSL/TLS configuration using tools like SSL Labs Server Test to ensure it meets current security standards. Furthermore, consider implementing HTTP Strict Transport Security (HSTS) for enhanced security. Review the HSTS implementation guide for detailed instructions.
Data at Rest: Disk Encryption
Encrypting the entire disk on which the MediaWiki files and database reside is a crucial step in protecting data at rest. This prevents unauthorized access to the data if the server is physically compromised.
The following table outlines common disk encryption options:
| Encryption Method | Description | Considerations |
|---|---|---|
| LUKS (Linux Unified Key Setup) | Standard disk encryption for Linux. Provides strong encryption and flexible key management. | Requires careful key management. Bootloader configuration is critical. |
| dm-crypt | Lower-level disk encryption component used by LUKS. | More complex to configure directly than LUKS. |
| File-level encryption (e.g., eCryptfs, EncFS) | Encrypts individual files or directories. | Less secure than full disk encryption; can be vulnerable to certain attacks. |
LUKS is the recommended approach for most MediaWiki installations. During server setup, it's best practice to encrypt the root partition and any partitions containing MediaWiki data or the database. Ensure strong passphrases are used for encryption keys, and store these keys securely (e.g., using a HSM). Consider implementing a robust Backup and recovery strategy that accounts for encrypted disks.
Database Encryption
Protecting the database is paramount, as it contains sensitive information like user credentials and wiki content.
| Database System | Encryption Options | Notes |
|---|---|---|
| MySQL/MariaDB | Transparent Data Encryption (TDE), encryption at rest using file system encryption | TDE requires Enterprise Edition or similar. File system encryption provides broader protection. |
| PostgreSQL | pgcrypto extension, Transparent Data Encryption (TDE) via extensions | pgcrypto allows for encryption of individual columns. |
| SQLite | SQLCipher | Can be used for encrypting the SQLite database file. |
For MySQL/MariaDB, enabling Transparent Data Encryption (TDE) is the preferred method, but it typically requires a commercial license. Alternatively, relying on file system encryption (LUKS) provides a simpler, though less granular, level of protection. PostgreSQL offers the `pgcrypto` extension for encrypting specific database columns. For SQLite databases, SQLCipher provides a robust encryption solution. Regularly review your database server's Database security configuration for best practices. Also, consider using strong passwords for database users and restricting access to only necessary personnel. Refer to the documentation for your specific database system for detailed encryption instructions.
Key Management
Secure key management is fundamental to the effectiveness of any encryption system.
- **Key Storage:** Do not store encryption keys on the same server as the encrypted data. Consider using a dedicated key management system or a Hardware Security Module (HSM).
- **Key Rotation:** Regularly rotate encryption keys to minimize the impact of a potential key compromise.
- **Access Control:** Restrict access to encryption keys to only authorized personnel.
- **Backup:** Back up encryption keys securely and store them in a separate, highly secure location.
Monitoring and Auditing
Regularly monitor your encryption configurations and audit access to sensitive data. Enable logging for encryption-related events and review logs for any suspicious activity. Consider using a Security Information and Event Management (SIEM) system to automate monitoring and alerting. Review the Server logs analysis page for more information.
Related Pages
- Security best practices
- Web Server Configuration
- HSTS implementation guide
- Backup and recovery
- Database security configuration
- HSM
- SSL Labs Server Test
- Server logs analysis
- Firewall configuration
- Intrusion detection systems
- Regular security audits
- User account security
- Password policy
- Database schema design
- File permissions
Intel-Based Server Configurations
| Configuration | Specifications | Benchmark |
|---|---|---|
| Core i7-6700K/7700 Server | 64 GB DDR4, NVMe SSD 2 x 512 GB | CPU Benchmark: 8046 |
| Core i7-8700 Server | 64 GB DDR4, NVMe SSD 2x1 TB | CPU Benchmark: 13124 |
| Core i9-9900K Server | 128 GB DDR4, NVMe SSD 2 x 1 TB | CPU Benchmark: 49969 |
| Core i9-13900 Server (64GB) | 64 GB RAM, 2x2 TB NVMe SSD | |
| Core i9-13900 Server (128GB) | 128 GB RAM, 2x2 TB NVMe SSD | |
| Core i5-13500 Server (64GB) | 64 GB RAM, 2x500 GB NVMe SSD | |
| Core i5-13500 Server (128GB) | 128 GB RAM, 2x500 GB NVMe SSD | |
| Core i5-13500 Workstation | 64 GB DDR5 RAM, 2 NVMe SSD, NVIDIA RTX 4000 |
AMD-Based Server Configurations
| Configuration | Specifications | Benchmark |
|---|---|---|
| Ryzen 5 3600 Server | 64 GB RAM, 2x480 GB NVMe | CPU Benchmark: 17849 |
| Ryzen 7 7700 Server | 64 GB DDR5 RAM, 2x1 TB NVMe | CPU Benchmark: 35224 |
| Ryzen 9 5950X Server | 128 GB RAM, 2x4 TB NVMe | CPU Benchmark: 46045 |
| Ryzen 9 7950X Server | 128 GB DDR5 ECC, 2x2 TB NVMe | CPU Benchmark: 63561 |
| EPYC 7502P Server (128GB/1TB) | 128 GB RAM, 1 TB NVMe | CPU Benchmark: 48021 |
| EPYC 7502P Server (128GB/2TB) | 128 GB RAM, 2 TB NVMe | CPU Benchmark: 48021 |
| EPYC 7502P Server (128GB/4TB) | 128 GB RAM, 2x2 TB NVMe | CPU Benchmark: 48021 |
| EPYC 7502P Server (256GB/1TB) | 256 GB RAM, 1 TB NVMe | CPU Benchmark: 48021 |
| EPYC 7502P Server (256GB/4TB) | 256 GB RAM, 2x2 TB NVMe | CPU Benchmark: 48021 |
| EPYC 9454P Server | 256 GB RAM, 2x2 TB NVMe |
Order Your Dedicated Server
Configure and order your ideal server configuration
Need Assistance?
- Telegram: @powervps Servers at a discounted price
⚠️ *Note: All benchmark scores are approximate and may vary based on configuration. Server availability subject to stock.* ⚠️