Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-12041

Implement key rotation for innodb_encrypt_log

    XMLWordPrintable

Details

    Description

      MDEV-9422 disabled the key rotation for the encrypted InnoDB redo log, because the used approach of writing multiple key metadata to the checkpoint page did not work.

      A better approach would seem to be the following:

      • In the redo log checkpoint page, write the current key version identifier.
      • When the redo log key is going to be rotated:
      1. Write a MLOG_KEY_ROTATE record with the information of the new (rotated) key
      2. Pad the end of the log block, and encrypt this block with the old key.
      3. Starting from the next log block, encrypt using the rotated key.

      This approach has the problem that writing log involves double buffering, and the log block boundaries are not known until the final copying, which happens under mutex protection. It would be simpler to do the following:

      • In each encrypted log block, write the encryption key version. (This would reduce the 512-byte logical block payload size from 496 to 492 bytes, or from 97% to 96%.)

      Attachments

        Issue Links

          is blocked by

          Task - A task that needs to be done. MDEV-11782 Redefine the innodb_encrypt_log format

          • Major - Major loss of function.
          • Closed
          is caused by

          Bug - A problem which impairs or prevents the functions of the product. MDEV-9422 Encrypted redo log checksum errors on restart after killing busy XtraDB instance

          • Major - Major loss of function.
          • Closed
          relates to

          Bug - A problem which impairs or prevents the functions of the product. MDEV-13044 Do not create a redo log checkpoint at startup

          • Major - Major loss of function.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-13318 Crash recovery failure after the server is killed during innodb_encrypt_log startup

          • Major - Major loss of function.
          • Closed

          Task - A task that needs to be done. MDEV-14425 Change the InnoDB redo log format to reduce write amplification

          • Blocker - Blocks development and/or testing work, production could not run.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-21949 key rotation for innodb_encrypt_log is not working in 10.5

          • Blocker - Blocks development and/or testing work, production could not run.
          • Closed

          Activity

            People

              marko Marko Mäkelä
              marko Marko Mäkelä
              Votes:
              1 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.