Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-14398

When innodb_encryption_rotate_key_age=0 is set, server won't encrypt tablespaces

    XMLWordPrintable

Details

    Description

      The fix for MDEV-10368 and MDEV-11587 introduced innodb_encryption_rotate_key_age=0 as a special value that disables key rotation entirely. This can help performance, since the key rotation checks seem to require a lot of CPU resources.

      Unfortunately, when innodb_encryption_rotate_key_age=0 is set, it also seems to prevent the server from encrypting unencrypted tablespaces in the background.

      To reproduce, do the following:

      1.) Initialize a datadir without encryption enabled. You can ensure that the tablespaces are not encrypted by querying INFORMATION_SCHEMA.INNODB_TABLESPACES_ENCRYPTION and confirming that there are 0 rows.

      MariaDB [(none)]> SELECT * FROM INFORMATION_SCHEMA.INNODB_TABLESPACES_ENCRYPTION\G
      		 
      Empty set (0.01 sec)

      2.) Then change the configuration to enable encryption. Be sure to set innodb_encryption_rotate_key_age=0. I used the following configuration:

      plugin-load-add=file_key_management
      		 
      file-key-management
      		 
      file_key_management_encryption_algorithm=aes_cbc
      		 
      file_key_management_filename = /etc/my.cnf.d//keys.enc
      		 
      file_key_management_filekey = secret
      		 
      innodb-encrypt-tables
      		 
      innodb-encrypt-log
      		 
      innodb-encryption-threads=4
      		 
      encrypt-tmp-disk-tables=1
      		 
      encrypt-tmp-files=1
      		 
      encrypt-binlog=1
      		 
      innodb_encryption_rotate_key_age = 0

      3.) Restart the server.

      4.) Check whether the tablespaces are encrypted. They still are not:

      MariaDB [(none)]> SELECT * FROM INFORMATION_SCHEMA.INNODB_TABLESPACES_ENCRYPTION\G
      		 
      Empty set (0.00 sec)

      5.) Change the configuration so that innodb_encryption_rotate_key_age=0 is commented out.

      6.) Restart the server.

      7.) Check whether the tablespaces are encrypted. They are:

      MariaDB [(none)]> SELECT * FROM INFORMATION_SCHEMA.INNODB_TABLESPACES_ENCRYPTION\G
      		 
      *************************** 1. row ***************************
      		 
                             SPACE: 1
      		 
                              NAME: mysql/innodb_table_stats
      		 
                 ENCRYPTION_SCHEME: 1
      		 
                KEYSERVER_REQUESTS: 1
      		 
                   MIN_KEY_VERSION: 1
      		 
               CURRENT_KEY_VERSION: 1
      		 
          KEY_ROTATION_PAGE_NUMBER: NULL
      		 
      KEY_ROTATION_MAX_PAGE_NUMBER: NULL
      		 
                    CURRENT_KEY_ID: 1
      		 
              ROTATING_OR_FLUSHING: 0
      		 
      *************************** 2. row ***************************
      		 
                             SPACE: 2
      		 
                              NAME: mysql/innodb_index_stats
      		 
                 ENCRYPTION_SCHEME: 1
      		 
                KEYSERVER_REQUESTS: 1
      		 
                   MIN_KEY_VERSION: 1
      		 
               CURRENT_KEY_VERSION: 1
      		 
          KEY_ROTATION_PAGE_NUMBER: NULL
      		 
      KEY_ROTATION_MAX_PAGE_NUMBER: NULL
      		 
                    CURRENT_KEY_ID: 1
      		 
              ROTATING_OR_FLUSHING: 0
      		 
      *************************** 3. row ***************************
      		 
                             SPACE: 3
      		 
                              NAME: mysql/gtid_slave_pos
      		 
                 ENCRYPTION_SCHEME: 1
      		 
                KEYSERVER_REQUESTS: 1
      		 
                   MIN_KEY_VERSION: 1
      		 
               CURRENT_KEY_VERSION: 1
      		 
          KEY_ROTATION_PAGE_NUMBER: NULL
      		 
      KEY_ROTATION_MAX_PAGE_NUMBER: NULL
      		 
                    CURRENT_KEY_ID: 1
      		 
              ROTATING_OR_FLUSHING: 0
      		 
      *************************** 4. row ***************************
      		 
                             SPACE: 0
      		 
                              NAME: innodb_system
      		 
                 ENCRYPTION_SCHEME: 1
      		 
                KEYSERVER_REQUESTS: 1
      		 
                   MIN_KEY_VERSION: 1
      		 
               CURRENT_KEY_VERSION: 1
      		 
          KEY_ROTATION_PAGE_NUMBER: NULL
      		 
      KEY_ROTATION_MAX_PAGE_NUMBER: NULL
      		 
                    CURRENT_KEY_ID: 1
      		 
              ROTATING_OR_FLUSHING: 0
      		 
      4 rows in set (0.00 sec)

      Attachments

        Issue Links

          causes

          Bug - A problem which impairs or prevents the functions of the product. MDEV-25998 InnoDB removes the tablespace from default encrypt list early

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed
          relates to

          Task - A task that needs to be done. MDEV-11657 Cross-engine transaction metadata

          • Major - Major loss of function.
          • Open

          Task - A task that needs to be done. MDEV-14157 Improve documentation of data at rest encryption

          • Major - Major loss of function.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-14571 mysql_install_db does not encrypt system tablespace when innodb_encrypt_tables is set

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-18128 Simplify .ibd file creation

          • Major - Major loss of function.
          • Closed

          Task - A task that needs to be done. MDEV-18518 Implement atomic multi-table (or multi-partition) CREATE TABLE for InnoDB

          • Blocker - Blocks development and/or testing work, production could not run.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-19910 Background encryption of InnoDB system tablespace is broken

          • Major - Major loss of function.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-10368 get_latest_version() called too often

          • Major - Major loss of function.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-11581 Mariadb starts innodb encryption threads when key has not changed or data scrubbing turned off

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

          Task - A task that needs to be done. MDEV-11587 Add new configuration variable to disable encryption key rotation

          • Major - Major loss of function.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-14180 Automatically disable key rotation checks for file_key_management plugin

          • Major - Major loss of function.
          • Closed

          Task - A task that needs to be done. MDEV-14610 Add syntax to manually encrypt/decrypt InnoDB's system tablespace

          • Major - Major loss of function.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-19509 InnoDB skips the tablespace in rotation list

          • Major - Major loss of function.
          • Closed

          Activity

            People

              thiru Thirunarayanan Balathandayuthapani
              GeoffMontee Geoff Montee (Inactive)
              Votes:
              2 Vote for this issue
              Watchers:
              15 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.