maria-developers team mailing list archive

[Jonas Oreland <jonaso@xxxxxxxxxx>]

Hi Jan,

1) rotating encrypted => unencrypted is definitely supported,
in my latest version the TODO is removed...(hope you have a recent enough
version)

2) Thanks! for testcase, it did indeed reveal a bug with the "encrypted =>
unencrypted => encrypted" sequence

attaching fix.

Let me know it fixes your version of testcase (i've used a modified version
since e.g we don't have per table settings...)

/Jonas


On Fri, May 15, 2015 at 1:23 PM, Jan Lindström <jan.lindstrom@xxxxxxxxxxx>
wrote:

> Hi,
>
> At fil0crypt.cc there is
>
> fil_crypt_needs_rotation(uint key_version, const key_state_t *key_state)
> {
>     // TODO(jonaso): Add support for rotating encrypted => unencrypted
>
>     if (key_version == 0 && key_state->key_version != 0) {
>         /* this is rotation unencrypted => encrypted
>         * ignore rotate_key_age */
>         return true;
>     }
>
> Thus to me it is not clear is the support for rotating encrypted =>
> unencrypted really missing or not and furthermore, see attached test case
> for this,
>
> encrypted + insert + grep : ok
> encrypted => unencrypted + grep: ok
> unencrypted => encrypted + grep: not ok
>
> R: Jan
>

diff --git a/storage/innobase/fil/fil0crypt.cc b/storage/innobase/fil/fil0crypt.cc
index 33ebb01..83a7bd0 100644
--- a/storage/innobase/fil/fil0crypt.cc
+++ b/storage/innobase/fil/fil0crypt.cc
@@ -1387,6 +1387,12 @@ fil_crypt_start_rotate_space(
 			key_state->key_version;
 
 		crypt_data->rotate_state.start_time = time(0);
+
+		if (crypt_data->type == CRYPT_SCHEME_UNENCRYPTED &&
+		    key_state->key_version != 0) {
+			/* this is rotation unencrypted => encrypted */
+			crypt_data->type = CRYPT_SCHEME_1;
+		}
 	}
 
 	/* count active threads in space */