hi sergei,
On Thu, Feb 22, 2018, at 11:57 AM, Sergei Golubchik wrote:
> Without key rotation, there's no automatic way, unfortunately.
:-/
> A, perhaps, more convenient approach could be:
>
> (1) add new key to the keys.txt - with a different ID.
> (2) restart the server
> (3) do ALTER TABLE...ENCRYPTION_KEY_ID=xxx for every encrypted table to
> switch it to the new key.
That 'conveinence' assumes that you've got single, or a very few, keys in play.
For more/many keys, especially when you start getting per-table keys, it starts
getting in-convenient fast.
And more importantly, very end-user error-prone!
> Another possibility would be to add key rotation support to the
> file_key_management plugin.
That'd be useful. Or a different plugin altogether.
Depends on the answer to the question:
Are there any non-commercial/FOSS, offline key-rotation capable key
management plugins? I.e., specifically not AWS' ?
In the same way that having encryption-ready mariadb-backup *from* MariaDB is
really valuable, having a non-3rd-party encryption management solution is
similarly valuable/important.
Ideally, (easily) integrated with soft/inexpensive HSM. Eventually.
> It is easier than it sounds - this plugin is quite simple.
famous last words ;-)
_______________________________________________
Mailing list: https://launchpad.net/~maria-discuss
Post to : maria-discuss@lists.launchpad.net
Unsubscribe : https://launchpad.net/~maria-discuss
More help : https://help.launchpad.net/ListHelp
