maria-discuss team mailing list archive

[Sergei Golubchik <serg@xxxxxxxxxxx>]

Hi, obsa!

On Feb 22, obsa@xxxxx wrote:
> 
> Encryption key management
> 
>   MariaDB encryption supports multiple encryption keys, they are
>   identified by a key identifier — a 32-bit integer. To support
>   automatic key rotation every key additionally might have different
>   versions. XtraDB and InnoDB can automatically re-encrypt the data from
>   an older to a newer version of the same key. But how different keys
>   are stored and rotated depends on the key management solution that you
>   choose.
> 
> but for this plugin
> 
> file_key_management
>   This plugin does not support key rotation — all keys always have the
>   version 1.
> 
> So I understand that I can't rotate the keys similar to what the AWS plugin provides.
> 
> But if I need to change the key at any time, either just its encrypted form
> &/or the 'master'
> 
> What's the procedure to re-key all the encrypted tables?
> 
> Do I need to 
>  (1) stop the server
>  (2) manually decrypt each table with its old key
>  (3) reencrypt each table with the new key
>  (4) restart the server
> ?

Without key rotation, there's no automatic way, unfortunately.

A, perhaps, more convenient approach could be:

 (1) add new key to the keys.txt - with a different ID.
 (2) restart the server
 (3) do ALTER TABLE...ENCRYPTION_KEY_ID=xxx for every encrypted table to
     switch it to the new key.

Another possibility would be to add key rotation support to the
file_key_management plugin.
It is easier than it sounds - this plugin is quite simple.

Regards,
Sergei
Chief Architect MariaDB
and security@xxxxxxxxxxx