maria-discuss team mailing list archive
Mailing list archive
Re: procedure to change database encryption with file_key_management plugin?
On Thu, Feb 22, 2018, at 11:57 AM, Sergei Golubchik wrote:
> Without key rotation, there's no automatic way, unfortunately.
> A, perhaps, more convenient approach could be:
> (1) add new key to the keys.txt - with a different ID.
> (2) restart the server
> (3) do ALTER TABLE...ENCRYPTION_KEY_ID=xxx for every encrypted table to
> switch it to the new key.
That 'conveinence' assumes that you've got single, or a very few, keys in play.
For more/many keys, especially when you start getting per-table keys, it starts getting in-convenient fast.
And more importantly, very end-user error-prone!
> Another possibility would be to add key rotation support to the
> file_key_management plugin.
That'd be useful. Or a different plugin altogether.
Depends on the answer to the question:
Are there any non-commercial/FOSS, offline key-rotation capable key management plugins? I.e., specifically not AWS' ?
In the same way that having encryption-ready mariadb-backup *from* MariaDB is really valuable, having a non-3rd-party encryption management solution is similarly valuable/important.
Ideally, (easily) integrated with soft/inexpensive HSM. Eventually.
> It is easier than it sounds - this plugin is quite simple.
famous last words ;-)