← Back to team overview

maria-discuss team mailing list archive

Re: procedure to change database encryption with file_key_management plugin?


Hi, obsa!

On Feb 22, obsa@xxxxx wrote:
> Encryption key management
>   MariaDB encryption supports multiple encryption keys, they are
>   identified by a key identifier — a 32-bit integer. To support
>   automatic key rotation every key additionally might have different
>   versions. XtraDB and InnoDB can automatically re-encrypt the data from
>   an older to a newer version of the same key. But how different keys
>   are stored and rotated depends on the key management solution that you
>   choose.
> but for this plugin
> file_key_management
>   This plugin does not support key rotation — all keys always have the
>   version 1.
> So I understand that I can't rotate the keys similar to what the AWS plugin provides.
> But if I need to change the key at any time, either just its encrypted form
> &/or the 'master'
> What's the procedure to re-key all the encrypted tables?
> Do I need to 
>  (1) stop the server
>  (2) manually decrypt each table with its old key
>  (3) reencrypt each table with the new key
>  (4) restart the server
> ?

Without key rotation, there's no automatic way, unfortunately.

A, perhaps, more convenient approach could be:

 (1) add new key to the keys.txt - with a different ID.
 (2) restart the server
 (3) do ALTER TABLE...ENCRYPTION_KEY_ID=xxx for every encrypted table to
     switch it to the new key.

Another possibility would be to add key rotation support to the
file_key_management plugin.
It is easier than it sounds - this plugin is quite simple.

Chief Architect MariaDB
and security@xxxxxxxxxxx

Follow ups