Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-14571

mysql_install_db does not encrypt system tablespace when innodb_encrypt_tables is set

    Details

    • Sprint:
      10.1.30

      Description

      When mysql_install_db initializes a new InnoDB system tablespace and innodb_encrypt_tables is set to ON or FORCE, should the newly created InnoDB tablespace be encrypted? That does not appear to happen with the current implementation.

      Let's say that we have the following configuration:

      plugin-load-add=file_key_management
      file-key-management
      file_key_management_encryption_algorithm=aes_cbc
      file_key_management_filename = /etc/my.cnf.d//keys.enc
      file_key_management_filekey = secret
      innodb-encrypt-tables
      innodb-encrypt-log
      innodb-encryption-threads=4
      encrypt-tmp-disk-tables=1
      encrypt-tmp-files=1
      #encrypt-binlog=1
      innodb_encryption_rotate_key_age = 0
      

      I would expect the system tablespace (where space_id=0) to be encrypted, but it is not:

      [ec2-user@ip-172-30-0-58 ~]$ sudo mysql_install_db --user=mysql
      Installing MariaDB/MySQL system tables in '/var/lib/mysql' ...
      OK
       
      To start mysqld at boot time you have to copy
      support-files/mysql.server to the right place for your system
       
      PLEASE REMEMBER TO SET A PASSWORD FOR THE MariaDB root USER !
      To do so, start the server, then issue the following commands:
       
      '/usr/bin/mysqladmin' -u root password 'new-password'
      '/usr/bin/mysqladmin' -u root -h ip-172-30-0-58.us-west-2.compute.internal passw                                                                             ord 'new-password'
       
      Alternatively you can run:
      '/usr/bin/mysql_secure_installation'
       
      which will also give you the option of removing the test
      databases and anonymous user created by default.  This is
      strongly recommended for production servers.
       
      See the MariaDB Knowledgebase at http://mariadb.com/kb or the
      MySQL manual for more instructions.
       
      You can start the MariaDB daemon with:
      cd '/usr' ; /usr/bin/mysqld_safe --datadir='/var/lib/mysql'
       
      You can test the MariaDB daemon with mysql-test-run.pl
      cd '/usr/mysql-test' ; perl mysql-test-run.pl
       
      Please report any problems at http://mariadb.org/jira
       
      The latest information about MariaDB is available at http://mariadb.org/.
      You can find additional information about the MySQL part at:
      http://dev.mysql.com
      Consider joining MariaDB's strong and vibrant community:
      https://mariadb.org/get-involved/
       
      [ec2-user@ip-172-30-0-58 ~]$ sudo galera_new_cluster
      [ec2-user@ip-172-30-0-58 ~]$ mysql -u root
      Welcome to the MariaDB monitor.  Commands end with ; or \g.
      Your MariaDB connection id is 11
      Server version: 10.2.9-MariaDB-debug-log Source distribution
       
      Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others.
       
      Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
       
      MariaDB [(none)]> SELECT * FROM INFORMATION_SCHEMA.INNODB_TABLESPACES_ENCRYPTION                                                                             \G
      *************************** 1. row ***************************
                             SPACE: 1
                              NAME: mysql/innodb_table_stats
                 ENCRYPTION_SCHEME: 1
                KEYSERVER_REQUESTS: 1
                   MIN_KEY_VERSION: 1
               CURRENT_KEY_VERSION: 1
          KEY_ROTATION_PAGE_NUMBER: NULL
      KEY_ROTATION_MAX_PAGE_NUMBER: NULL
                    CURRENT_KEY_ID: 1
              ROTATING_OR_FLUSHING: 0
      *************************** 2. row ***************************
                             SPACE: 2
                              NAME: mysql/innodb_index_stats
                 ENCRYPTION_SCHEME: 1
                KEYSERVER_REQUESTS: 1
                   MIN_KEY_VERSION: 1
               CURRENT_KEY_VERSION: 1
          KEY_ROTATION_PAGE_NUMBER: NULL
      KEY_ROTATION_MAX_PAGE_NUMBER: NULL
                    CURRENT_KEY_ID: 1
              ROTATING_OR_FLUSHING: 0
      *************************** 3. row ***************************
                             SPACE: 3
                              NAME: mysql/gtid_slave_pos
                 ENCRYPTION_SCHEME: 1
                KEYSERVER_REQUESTS: 1
                   MIN_KEY_VERSION: 1
               CURRENT_KEY_VERSION: 1
          KEY_ROTATION_PAGE_NUMBER: NULL
      KEY_ROTATION_MAX_PAGE_NUMBER: NULL
                    CURRENT_KEY_ID: 1
              ROTATING_OR_FLUSHING: 0
      3 rows in set (0.00 sec)
      

      If I change innodb_encryption_rotate_key_age to the default value of 1 (see also MDEV-14398 about that), then the system tablespace is encrypted in the background the next time mysqld is restarted, which suggests that it probably should have been encrypted from the start.

      MariaDB [(none)]> SELECT @@global.innodb_encryption_rotate_key_age;
      +-------------------------------------------+
      | @@global.innodb_encryption_rotate_key_age |
      +-------------------------------------------+
      |                                         1 |
      +-------------------------------------------+
      1 row in set (0.00 sec)
       
      MariaDB [(none)]> SELECT * FROM INFORMATION_SCHEMA.INNODB_TABLESPACES_ENCRYPTION\G
      *************************** 1. row ***************************
                             SPACE: 1
                              NAME: mysql/innodb_table_stats
                 ENCRYPTION_SCHEME: 1
                KEYSERVER_REQUESTS: 1
                   MIN_KEY_VERSION: 1
               CURRENT_KEY_VERSION: 1
          KEY_ROTATION_PAGE_NUMBER: NULL
      KEY_ROTATION_MAX_PAGE_NUMBER: NULL
                    CURRENT_KEY_ID: 1
              ROTATING_OR_FLUSHING: 0
      *************************** 2. row ***************************
                             SPACE: 2
                              NAME: mysql/innodb_index_stats
                 ENCRYPTION_SCHEME: 1
                KEYSERVER_REQUESTS: 1
                   MIN_KEY_VERSION: 1
               CURRENT_KEY_VERSION: 1
          KEY_ROTATION_PAGE_NUMBER: NULL
      KEY_ROTATION_MAX_PAGE_NUMBER: NULL
                    CURRENT_KEY_ID: 1
              ROTATING_OR_FLUSHING: 0
      *************************** 3. row ***************************
                             SPACE: 3
                              NAME: mysql/gtid_slave_pos
                 ENCRYPTION_SCHEME: 1
                KEYSERVER_REQUESTS: 1
                   MIN_KEY_VERSION: 1
               CURRENT_KEY_VERSION: 1
          KEY_ROTATION_PAGE_NUMBER: NULL
      KEY_ROTATION_MAX_PAGE_NUMBER: NULL
                    CURRENT_KEY_ID: 1
              ROTATING_OR_FLUSHING: 0
      *************************** 4. row ***************************
                             SPACE: 0
                              NAME: innodb_system
                 ENCRYPTION_SCHEME: 1
                KEYSERVER_REQUESTS: 1
                   MIN_KEY_VERSION: 1
               CURRENT_KEY_VERSION: 1
          KEY_ROTATION_PAGE_NUMBER: NULL
      KEY_ROTATION_MAX_PAGE_NUMBER: NULL
                    CURRENT_KEY_ID: 1
              ROTATING_OR_FLUSHING: 0
      4 rows in set (0.00 sec)
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                jplindst Jan Lindström
                Reporter:
                GeoffMontee Geoff Montee
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: