This is nice for those tired of wrestling with TLS certs and CAs for your database
Connection encryption is pretty low on the list of priorities for database security. Proper accounts and rights management is far more important.
SQL traffic shouldn’t really run over anything but short LAN links. Ideally separated from other stuff entirely, but just not spewed over your whole LAN, and really not over the Internet at all.
TLS is good, yes, but unless you’re also validating those certs they don’t mean much. Client certs would be even better.
Some compliance measures (PCI DSS 4, HIPAA) mandate encryption in transit and none penalize it, so making any of that easier and less error-prone seems like a step in the right direction.
TLS is good *only’ if you are also validating those certs. And that is what MariaDB 11.8 is now doing.
The cloud, and any form of managed database, inverts this. User accounts are extremely easy, as they are automatically provisioned with secrets you can easily rotate, along with the database itself. There is less of a worry about user rights as well, as you can dedicate one “instance” of a database to certain types of data, instead of having more than one database within one instance.
And then, traffic is commonly going to be routed through untrusted networks, hence the desire for encryption in transit.
