Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-14398

When innodb_encryption_rotate_key_age=0 is set, server won't encrypt tablespaces

    Details

      Description

      The fix for MDEV-10368 and MDEV-11587 introduced innodb_encryption_rotate_key_age=0 as a special value that disables key rotation entirely. This can help performance, since the key rotation checks seem to require a lot of CPU resources.

      Unfortunately, when innodb_encryption_rotate_key_age=0 is set, it also seems to prevent the server from encrypting unencrypted tablespaces in the background.

      To reproduce, do the following:

      1.) Initialize a datadir without encryption enabled. You can ensure that the tablespaces are not encrypted by querying INFORMATION_SCHEMA.INNODB_TABLESPACES_ENCRYPTION and confirming that there are 0 rows.

      MariaDB [(none)]> SELECT * FROM INFORMATION_SCHEMA.INNODB_TABLESPACES_ENCRYPTION\G
      Empty set (0.01 sec)
      

      2.) Then change the configuration to enable encryption. Be sure to set innodb_encryption_rotate_key_age=0. I used the following configuration:

      plugin-load-add=file_key_management
      file-key-management
      file_key_management_encryption_algorithm=aes_cbc
      file_key_management_filename = /etc/my.cnf.d//keys.enc
      file_key_management_filekey = secret
      innodb-encrypt-tables
      innodb-encrypt-log
      innodb-encryption-threads=4
      encrypt-tmp-disk-tables=1
      encrypt-tmp-files=1
      encrypt-binlog=1
      innodb_encryption_rotate_key_age = 0
      

      3.) Restart the server.

      4.) Check whether the tablespaces are encrypted. They still are not:

      MariaDB [(none)]> SELECT * FROM INFORMATION_SCHEMA.INNODB_TABLESPACES_ENCRYPTION\G
      Empty set (0.00 sec)
      

      5.) Change the configuration so that innodb_encryption_rotate_key_age=0 is commented out.

      6.) Restart the server.

      7.) Check whether the tablespaces are encrypted. They are:

      MariaDB [(none)]> SELECT * FROM INFORMATION_SCHEMA.INNODB_TABLESPACES_ENCRYPTION\G
      *************************** 1. row ***************************
                             SPACE: 1
                              NAME: mysql/innodb_table_stats
                 ENCRYPTION_SCHEME: 1
                KEYSERVER_REQUESTS: 1
                   MIN_KEY_VERSION: 1
               CURRENT_KEY_VERSION: 1
          KEY_ROTATION_PAGE_NUMBER: NULL
      KEY_ROTATION_MAX_PAGE_NUMBER: NULL
                    CURRENT_KEY_ID: 1
              ROTATING_OR_FLUSHING: 0
      *************************** 2. row ***************************
                             SPACE: 2
                              NAME: mysql/innodb_index_stats
                 ENCRYPTION_SCHEME: 1
                KEYSERVER_REQUESTS: 1
                   MIN_KEY_VERSION: 1
               CURRENT_KEY_VERSION: 1
          KEY_ROTATION_PAGE_NUMBER: NULL
      KEY_ROTATION_MAX_PAGE_NUMBER: NULL
                    CURRENT_KEY_ID: 1
              ROTATING_OR_FLUSHING: 0
      *************************** 3. row ***************************
                             SPACE: 3
                              NAME: mysql/gtid_slave_pos
                 ENCRYPTION_SCHEME: 1
                KEYSERVER_REQUESTS: 1
                   MIN_KEY_VERSION: 1
               CURRENT_KEY_VERSION: 1
          KEY_ROTATION_PAGE_NUMBER: NULL
      KEY_ROTATION_MAX_PAGE_NUMBER: NULL
                    CURRENT_KEY_ID: 1
              ROTATING_OR_FLUSHING: 0
      *************************** 4. row ***************************
                             SPACE: 0
                              NAME: innodb_system
                 ENCRYPTION_SCHEME: 1
                KEYSERVER_REQUESTS: 1
                   MIN_KEY_VERSION: 1
               CURRENT_KEY_VERSION: 1
          KEY_ROTATION_PAGE_NUMBER: NULL
      KEY_ROTATION_MAX_PAGE_NUMBER: NULL
                    CURRENT_KEY_ID: 1
              ROTATING_OR_FLUSHING: 0
      4 rows in set (0.00 sec)
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                thiru Thirunarayanan Balathandayuthapani
                Reporter:
                GeoffMontee Geoff Montee
              • Votes:
                2 Vote for this issue
                Watchers:
                15 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: