maria-discuss team mailing list archive

Thread
Date

Re: AWS Key management plugin key rotation in replication

To: Reinis Rozitis <r@xxxxxxx>
From: Sergei Golubchik <serg@xxxxxxxxxxx>
Date: Mon, 30 Aug 2021 12:26:45 +0200
Cc: maria-discuss@xxxxxxxxxxxxxxxxxxx
In-reply-to: <000001d79d85$829dcd70$87d96850$@roze.lv>

Hi, Reinis!

On Aug 30, Reinis Rozitis wrote:
> > Slaves use their own encryption, they can use completely different set of
> > keys with different rotation period. They don't have to be synchronized with
> >the master.
> 
> That is clear, 
> but I wanted to know in case they use the same key does the KMS API / Plugin
> somehow pick up the rotation event and perform the re-encryption on all the
> replicas (I guess could try just to test it)?

the master does not specifically communicate key rotaton to slaves.
the way key rotation works in AWS plugin - I don't think the KMS will
communicate it either.

but, as key rotation is triggered by an sql statement, you can try to
replicate it somehow. e.g. instead of SET, you have a table
"key_rotation" and you insert into it. And an AFTER INSERT trigger will
do the SET. The insert can be replicated just fine, this way both a
master and a slave can rotate at about the same time.

> Using multiple keys (per replica) would complicate the setup (a bit).

sure. it's a possibility, not a requirement.

Regards,
Sergei
VP of MariaDB Server Engineering
and security@xxxxxxxxxxx

References

AWS Key management plugin key rotation in replication
From: Reinis Rozitis, 2021-08-29
Re: AWS Key management plugin key rotation in replication
From: Sergei Golubchik, 2021-08-30
Re: AWS Key management plugin key rotation in replication
From: Reinis Rozitis, 2021-08-30