hi sergei, On Thu, Feb 22, 2018, at 11:57 AM, Sergei Golubchik wrote: > Without key rotation, there's no automatic way, unfortunately.
:-/ > A, perhaps, more convenient approach could be: > > (1) add new key to the keys.txt - with a different ID. > (2) restart the server > (3) do ALTER TABLE...ENCRYPTION_KEY_ID=xxx for every encrypted table to > switch it to the new key. That 'conveinence' assumes that you've got single, or a very few, keys in play. For more/many keys, especially when you start getting per-table keys, it starts getting in-convenient fast. And more importantly, very end-user error-prone! > Another possibility would be to add key rotation support to the > file_key_management plugin. That'd be useful. Or a different plugin altogether. Depends on the answer to the question: Are there any non-commercial/FOSS, offline key-rotation capable key management plugins? I.e., specifically not AWS' ? In the same way that having encryption-ready mariadb-backup *from* MariaDB is really valuable, having a non-3rd-party encryption management solution is similarly valuable/important. Ideally, (easily) integrated with soft/inexpensive HSM. Eventually. > It is easier than it sounds - this plugin is quite simple. famous last words ;-) _______________________________________________ Mailing list: https://launchpad.net/~maria-discuss Post to : firstname.lastname@example.org Unsubscribe : https://launchpad.net/~maria-discuss More help : https://help.launchpad.net/ListHelp