Hi, obsa! On Feb 22, o...@mm.st wrote: > > Encryption key management > > MariaDB encryption supports multiple encryption keys, they are > identified by a key identifier — a 32-bit integer. To support > automatic key rotation every key additionally might have different > versions. XtraDB and InnoDB can automatically re-encrypt the data from > an older to a newer version of the same key. But how different keys > are stored and rotated depends on the key management solution that you > choose. > > but for this plugin > > file_key_management > This plugin does not support key rotation — all keys always have the > version 1. > > So I understand that I can't rotate the keys similar to what the AWS plugin > provides. > > But if I need to change the key at any time, either just its encrypted form > &/or the 'master' > > What's the procedure to re-key all the encrypted tables? > > Do I need to > (1) stop the server > (2) manually decrypt each table with its old key > (3) reencrypt each table with the new key > (4) restart the server > ?
Without key rotation, there's no automatic way, unfortunately. A, perhaps, more convenient approach could be: (1) add new key to the keys.txt - with a different ID. (2) restart the server (3) do ALTER TABLE...ENCRYPTION_KEY_ID=xxx for every encrypted table to switch it to the new key. Another possibility would be to add key rotation support to the file_key_management plugin. It is easier than it sounds - this plugin is quite simple. Regards, Sergei Chief Architect MariaDB and secur...@mariadb.org _______________________________________________ Mailing list: https://launchpad.net/~maria-discuss Post to : firstname.lastname@example.org Unsubscribe : https://launchpad.net/~maria-discuss More help : https://help.launchpad.net/ListHelp