[MDEV-12041] Implement key rotation for innodb_encrypt_log - Jira

Details

Type: Task
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Fix Version/s: 10.4.0
Component/s: Storage Engine - InnoDB
Labels:
None

Description

~~MDEV-9422~~ disabled the key rotation for the encrypted InnoDB redo log, because the used approach of writing multiple key metadata to the checkpoint page did not work.

A better approach would seem to be the following:

In the redo log checkpoint page, write the current key version identifier.
When the redo log key is going to be rotated:

Write a MLOG_KEY_ROTATE record with the information of the new (rotated) key
Pad the end of the log block, and encrypt this block with the old key.
Starting from the next log block, encrypt using the rotated key.

This approach has the problem that writing log involves double buffering, and the log block boundaries are not known until the final copying, which happens under mutex protection. It would be simpler to do the following:

In each encrypted log block, write the encryption key version. (This would reduce the 512-byte logical block payload size from 496 to 492 bytes, or from 97% to 96%.)

Attachments

Issue Links

is blocked by

MDEV-11782 Redefine the innodb_encrypt_log format

Closed

is caused by

MDEV-9422 Encrypted redo log checksum errors on restart after killing busy XtraDB instance

Closed

relates to

MDEV-13044 Do not create a redo log checkpoint at startup

Closed

MDEV-13318 Crash recovery failure after the server is killed during innodb_encrypt_log startup

Closed

MDEV-14425 Change the InnoDB redo log format to reduce write amplification

Closed

MDEV-21949 key rotation for innodb_encrypt_log is not working in 10.5

Closed

(1 relates to)

Activity

Ascending order - Click to sort in descending order

Marko Mäkelä created issue - 2017-02-10 13:24

Marko Mäkelä made changes - 2017-02-10 13:24

Field	Original Value	New Value
Link		This issue is caused by ~~MDEV-9422~~ [ ~~MDEV-9422~~ ]

Marko Mäkelä made changes - 2017-02-10 13:25

Link

This issue is blocked by ~~MDEV-11782~~ [ ~~MDEV-11782~~ ]

Marko Mäkelä made changes - 2017-06-09 12:28

Link

This issue relates to ~~MDEV-13044~~ [ ~~MDEV-13044~~ ]

Marko Mäkelä added a comment - 2017-09-12 07:34

As a part of this work, InnoDB should periodically change the random encryption parameters that are initialized in log_crypt_init(). These parameters could be changed much more frequently than the encryption key. Maybe we should assign and store a random nonce in each redo log block? Maybe the logical redo log block size should be larger than 512 bytes?

Starting with ~~MDEV-13318~~, log_crypt_init() will only be invoked when rebuilding the redo logs.

Marko Mäkelä added a comment - 2017-09-12 07:34 As a part of this work, InnoDB should periodically change the random encryption parameters that are initialized in log_crypt_init(). These parameters could be changed much more frequently than the encryption key. Maybe we should assign and store a random nonce in each redo log block? Maybe the logical redo log block size should be larger than 512 bytes? Starting with MDEV-13318 , log_crypt_init() will only be invoked when rebuilding the redo logs.

Marko Mäkelä made changes - 2017-09-12 07:34

Link

This issue relates to ~~MDEV-13318~~ [ ~~MDEV-13318~~ ]

Marko Mäkelä added a comment - 2017-11-21 14:05

This could be implemented as part of ~~MDEV-14425~~ by writing an encryption key ID in each redo log block.

Marko Mäkelä added a comment - 2017-11-21 14:05 This could be implemented as part of MDEV-14425 by writing an encryption key ID in each redo log block.

Marko Mäkelä made changes - 2017-11-21 14:05

Link

This issue relates to ~~MDEV-14425~~ [ ~~MDEV-14425~~ ]

Sergei Golubchik made changes - 2018-02-14 16:23

Fix Version/s

10.3 [ 22126 ]

Ralf Gebhardt made changes - 2018-07-26 18:25

Fix Version/s

10.4 [ 22408 ]

Ralf Gebhardt made changes - 2018-08-03 06:52

Epic Link

PT-73 [ 68549 ]

Marko Mäkelä made changes - 2018-08-09 08:34

Status

Open [ 1 ]

In Progress [ 3 ]

Marko Mäkelä made changes - 2018-08-09 10:31

Description

~~MDEV-9422~~ disabled the key rotation for the encrypted InnoDB redo log, because the used approach of writing multiple key metadata to the checkpoint page did not work.

A better approach would seem to be the following:
* In the redo log checkpoint page, write the current key version identifier.
* When the redo log key is going to be rotated:
# Write a {{MLOG_KEY_ROTATE}} record with the information of the new (rotated) key
# Pad the end of the log block, and encrypt this block with the old key.
# Starting from the next log block, encrypt using the rotated key.

This approach has the problem that writing log involves double buffering, and the log block boundaries are not known until the final copying, which happens under mutex protection. It would be simpler to do the following:
* In each encrypted log block, write the encryption key version. (This would reduce the 512-byte logical block payload size from 496 to 492 bytes, or from 97% to 96%.)

Marko Mäkelä added a comment - 2018-08-13 13:09

Starting with MariaDB 10.4.0, the encrypted InnoDB redo log format will reserve 4 bytes at the end of each 512-byte redo log block for the encryption key version. This allows key rotation at any time. For performance reasons, we will attempt key rotation only when writing log as part of a redo log checkpoint.

Marko Mäkelä added a comment - 2018-08-13 13:09 Starting with MariaDB 10.4.0, the encrypted InnoDB redo log format will reserve 4 bytes at the end of each 512-byte redo log block for the encryption key version. This allows key rotation at any time. For performance reasons, we will attempt key rotation only when writing log as part of a redo log checkpoint.

Marko Mäkelä made changes - 2018-08-13 13:09

issue.field.resolutiondate

2018-08-13 13:09:52.0

2018-08-13 13:09:52.645

Marko Mäkelä made changes - 2018-08-13 13:09

Fix Version/s		10.4.0 [ 23115 ]
Fix Version/s	10.4 [ 22408 ]
Resolution		Fixed [ 1 ]
Status	In Progress [ 3 ]	Closed [ 6 ]

Marko Mäkelä made changes - 2020-03-16 08:14

Link

This issue relates to ~~MDEV-21949~~ [ ~~MDEV-21949~~ ]

Rob Schwyzer (Inactive) made changes - 2021-06-24 20:30

Labels

ServiceNow

Rob Schwyzer (Inactive) made changes - 2021-07-02 20:00

Labels

ServiceNow

76qDvLB8Gju6Hs7nk3VY3EX42G795W5z

Sergei Golubchik made changes - 2021-08-13 22:33

Labels

76qDvLB8Gju6Hs7nk3VY3EX42G795W5z

Sergei Golubchik made changes - 2021-12-06 21:23

Workflow

MariaDB v3 [ 79607 ]

MariaDB v4 [ 133126 ]

Jira Automation (IT) made changes - 2024-07-04 08:35

Zendesk Related Tickets		201658 137277
Zendesk active tickets		201658

People

Assignee:: Marko Mäkelä

Reporter:: Marko Mäkelä

Votes:: 1 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 2017-02-10 13:24

Updated:: 2024-09-06 09:59

Resolved:: 2018-08-13 13:09

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server

Details

Description

Attachments

Issue Links

Activity

People

Dates

Git Integration