maria-discuss team mailing list archive

[Sergei Golubchik <serg@xxxxxxxxxxx>]

Hi, Honza!

On Jul 19, Honza Horak wrote:
> On 07/15/2016 11:31 AM, Sergei Golubchik wrote:
> >
> > On Jul 14, Honza Horak wrote:
> >> I've asked directly in the documentation page, but maybe someone will
> >> know answer here:
> >> https://mariadb.com/kb/en/mariadb/data-at-rest-encryption/#comment_2346
> >>
> >> In that article it is said that 128, 192 or 256-bit keys are
> >> supported, but later AES_CTR and AES_CBC modes talk only about
> >> 128bit keys. What piece of information am I missing?
> >
> > The article says "the plugin will use AES with the 128-bit keys in
> > the CTR mode for encrypting tablespace pages".
> >
> > Because tablespace pages are always encrypted with a 128-bit
> > tablespace key. Which is different for every tablespace and it is
> > generated from the user-specified key, which might be 128-, 192-, or
> > 256-bit.
> >
> > Temporary files and binary logs are encrypted directly with the
> > user-specified key of a user-specified length.
> 
> Thanks for the answer, but one more question to make sure I understand
> it correctly -- in case of choosing CBC mode, 128 keys are used only
> for tablespace pages or also for temporary files and binary logs?

Depends on your keys that you've specified in a file. Say, if you've put
192-bit keys there, then 192-bit keys will be used to encrypt temporary
files and binary logs. And 192-bit key will be used to generate a
128-bit tablespace key, which in turn will used to encrypt a tablespace.
It does not depend on the mode, CBC or CTR.

Regards,
Sergei