I've built
mysqld -V
mysqld Ver 10.2.14-MariaDB-log for Linux on x86_64 (Source
distribution)
I'm setting up encryption, following
https://mariadb.com/kb/en/library/encryption/
https://mariadb.com/kb/en/library/data-at-rest-encryption/
I created my key file
openssl rand -hex 32
b650adbc0c5df1bc3e766b4b65f26dc76c76ed81b955bbedaf50e1d4e16fc732
/etc/mariadb/keys.txt
1;b650adbc0c5df1bc3e766b4b65f26dc76c76ed81b955bbedaf50e1d4e16fc732
encrypted it
openssl enc -aes-256-cbc -k 'test_passphrase' -md sha1 -in
/etc/mariadb/keys.txt -out /etc/mariadb/keys.enc
verified it
openssl aes-256-cbc -d -md sha1 -k 'test_passphrase' -in
/etc/mariadb/keys.enc
1;b650adbc0c5df1bc3e766b4b65f26dc76c76ed81b955bbedaf50e1d4e16fc732
I've enabled "everything" encryption using that keyfile
[mysqld]
plugin_dir=/opt/mariadb/lib/plugin
plugin-load-add=file_key_management
file-key-management
file_key_management_encryption_algorithm=aes_ctr
file_key_management_filekey = 'test_filekey'
file_key_management_filename = /etc/mariadb/enc/keys.enc
aria-encrypt-tables = 1
encrypt-binlog = 1
encrypt-tmp-disk-tables = 1
encrypt-tmp-files = 1
innodb_default_encryption_key_id = 1
innodb-encrypt-log = off
innodb-encrypt-tables = on
innodb-encryption-threads = 4
innodb-tablespaces-encryption = 1
verified the plugin loads
mysql -e "show plugins;" | grep ENC
INNODB_TABLESPACES_ENCRYPTION ACTIVE INFORMATION SCHEMA NULL
BSD
file_key_management ACTIVE ENCRYPTION
file_key_management.so GPL
on startup it looks like it starts up ok
2018-02-21 13:01:29 139729003899072 [Note] InnoDB: 5.7.21 started; log
sequence number 7206290786
2018-02-21 13:01:29 139729003899072 [Note] InnoDB: Creating #1
encryption thread id 139727810316032 total threads 4.
2018-02-21 13:01:29 139729003899072 [Note] InnoDB: Creating #2
encryption thread id 139727801923328 total threads 4.
2018-02-21 13:01:29 139727818708736 [Note] InnoDB: Loading buffer
pool(s) from /home/data/db/ib_buffer_pool
2018-02-21 13:01:29 139729003899072 [Note] InnoDB: Creating #3
encryption thread id 139727793530624 total threads 4.
2018-02-21 13:01:29 139729003899072 [Note] InnoDB: Creating #4
encryption thread id 139727785137920 total threads 4.
2018-02-21 13:01:29 139727818708736 [Note] InnoDB: Buffer pool(s) load
completed at 180222 13:01:29
2018-02-21 13:01:29 139729003899072 [Note] Using encryption key id 1
for temporary files
2018-02-21 13:01:29 139729003899072 [Note] Server socket created on
IP: '127.0.0.1'.
2018-02-21 13:01:29 139729003899072 [Note] Reading of all Master_info
entries succeded
2018-02-21 13:01:29 139729003899072 [Note] Added new Master_info '' to
hash table
2018-02-21 13:01:29 139729003899072 [Note] /opt/mariadb/bin/mysqld:
ready for connections.
Version: '10.2.14-MariaDB-log' socket:
'/var/cache/mariadb/mariadb.sock' port: 3306 Source distribution
and verified table encryption
mysql -e "SELECT * FROM
INFORMATION_SCHEMA.INNODB_TABLESPACES_ENCRYPTION;"
+-------+-------------------------------------------+-------------------+--------------------+-----------------+---------------------+--------------------------+------------------------------+----------------+----------------------+
| SPACE | NAME |
ENCRYPTION_SCHEME | KEYSERVER_REQUESTS | MIN_KEY_VERSION | CURRENT_KEY_VERSION
| KEY_ROTATION_PAGE_NUMBER | KEY_ROTATION_MAX_PAGE_NUMBER | CURRENT_KEY_ID |
ROTATING_OR_FLUSHING |
+-------+-------------------------------------------+-------------------+--------------------+-----------------+---------------------+--------------------------+------------------------------+----------------+----------------------+
| 1375 | mysql/gtid_slave_pos |
1 | 1 | 1 | 1 |
NULL | NULL | 1 |
0 |
| 1465 | mysql/innodb_index_stats |
1 | 1 | 1 | 1 |
NULL | NULL | 1 |
0 |
| 1466 | mysql/innodb_table_stats |
1 | 1 | 1 | 1 |
NULL | NULL | 1 |
0 |
| 18999 | testdata/table0001 |
1 | 0 | 1 | 1 |
NULL | NULL | 1 |
0 |
...
...
...
| 0 | innodb_system |
1 | 1 | 1 | 1 |
NULL | NULL | 1 |
0 |
+-------+-------------------------------------------+-------------------+--------------------+-----------------+---------------------+--------------------------+------------------------------+----------------+----------------------+
reading
Encryption key management
MariaDB encryption supports multiple encryption keys, they are
identified by a key identifier — a 32-bit integer. To support automatic key
rotation every key additionally might have different versions. XtraDB and
InnoDB can automatically re-encrypt the data from an older to a newer version
of the same key. But how different keys are stored and rotated depends on the
key management solution that you choose.
but for this plugin
file_key_management
This plugin does not support key rotation — all keys always
have the version 1.
So I understand that I can't rotate the keys similar to what the AWS plugin
provides.
But if I need to change the key at any time, either just its encrypted form
/etc/mariadb/keys.enc
&/or the 'master'
/etc/mariadb/keys.txt
What's the procedure to re-key all the encrypted tables?
Do I need to
(1) stop the server
(2) manually decrypt each table with its old key
(3) reencrypt each table with the new key
(4) restart the server
?
True also for having used multiple keys for global/default, temp tables, and
per-table?
Is there any tool/procedure that automates that?
I suppose that the AWS plugin takes care of that automated-rotation. Is there
another non-commercial/open-source plugin with similar rotation capability?
_______________________________________________
Mailing list: https://launchpad.net/~maria-discuss
Post to : [email protected]
Unsubscribe : https://launchpad.net/~maria-discuss
More help : https://help.launchpad.net/ListHelp
