← Back to team overview

maria-discuss team mailing list archive

Re: procedure to change database encryption with file_key_management plugin?


hi sergei,

On Thu, Feb 22, 2018, at 11:57 AM, Sergei Golubchik wrote:
> Without key rotation, there's no automatic way, unfortunately.


> A, perhaps, more convenient approach could be:
>  (1) add new key to the keys.txt - with a different ID.
>  (2) restart the server
>  (3) do ALTER TABLE...ENCRYPTION_KEY_ID=xxx for every encrypted table to
>      switch it to the new key.

That 'conveinence' assumes that you've got single, or a very few, keys in play.

For more/many keys, especially when you start getting per-table keys, it starts getting in-convenient fast.

And more importantly, very end-user error-prone!

> Another possibility would be to add key rotation support to the
> file_key_management plugin.

That'd be useful.  Or a different plugin altogether.

Depends on the answer to the question:

    Are there any non-commercial/FOSS, offline key-rotation capable key management plugins?  I.e., specifically not AWS' ?

In the same way that having encryption-ready mariadb-backup *from* MariaDB is really valuable, having a non-3rd-party encryption management solution is similarly valuable/important.

Ideally, (easily) integrated with soft/inexpensive HSM.  Eventually.

> It is easier than it sounds - this plugin is quite simple.

famous last words ;-)

Follow ups