maria-discuss team mailing list archive
Mailing list archive
Re: procedure to change database encryption with file_key_management plugin?
On Feb 22, obsa@xxxxx wrote:
> Encryption key management
> MariaDB encryption supports multiple encryption keys, they are
> identified by a key identifier — a 32-bit integer. To support
> automatic key rotation every key additionally might have different
> versions. XtraDB and InnoDB can automatically re-encrypt the data from
> an older to a newer version of the same key. But how different keys
> are stored and rotated depends on the key management solution that you
> but for this plugin
> This plugin does not support key rotation — all keys always have the
> version 1.
> So I understand that I can't rotate the keys similar to what the AWS plugin provides.
> But if I need to change the key at any time, either just its encrypted form
> &/or the 'master'
> What's the procedure to re-key all the encrypted tables?
> Do I need to
> (1) stop the server
> (2) manually decrypt each table with its old key
> (3) reencrypt each table with the new key
> (4) restart the server
Without key rotation, there's no automatic way, unfortunately.
A, perhaps, more convenient approach could be:
(1) add new key to the keys.txt - with a different ID.
(2) restart the server
(3) do ALTER TABLE...ENCRYPTION_KEY_ID=xxx for every encrypted table to
switch it to the new key.
Another possibility would be to add key rotation support to the
It is easier than it sounds - this plugin is quite simple.
Chief Architect MariaDB