Details
-
Bug
-
Status: Closed (View Workflow)
-
Critical
-
Resolution: Not a Bug
-
10.2.9, 10.1(EOL)
-
10.1.30
Description
When mysql_install_db initializes a new InnoDB system tablespace and innodb_encrypt_tables is set to ON or FORCE, should the newly created InnoDB tablespace be encrypted? That does not appear to happen with the current implementation.
Let's say that we have the following configuration:
plugin-load-add=file_key_management
|
file-key-management
|
file_key_management_encryption_algorithm=aes_cbc
|
file_key_management_filename = /etc/my.cnf.d//keys.enc
|
file_key_management_filekey = secret
|
innodb-encrypt-tables
|
innodb-encrypt-log
|
innodb-encryption-threads=4
|
encrypt-tmp-disk-tables=1
|
encrypt-tmp-files=1
|
#encrypt-binlog=1
|
innodb_encryption_rotate_key_age = 0
|
I would expect the system tablespace (where space_id=0) to be encrypted, but it is not:
[ec2-user@ip-172-30-0-58 ~]$ sudo mysql_install_db --user=mysql
|
Installing MariaDB/MySQL system tables in '/var/lib/mysql' ...
|
OK
|
|
|
To start mysqld at boot time you have to copy
|
support-files/mysql.server to the right place for your system
|
|
|
PLEASE REMEMBER TO SET A PASSWORD FOR THE MariaDB root USER !
|
To do so, start the server, then issue the following commands:
|
|
|
'/usr/bin/mysqladmin' -u root password 'new-password'
|
'/usr/bin/mysqladmin' -u root -h ip-172-30-0-58.us-west-2.compute.internal passw ord 'new-password'
|
|
|
Alternatively you can run:
|
'/usr/bin/mysql_secure_installation'
|
|
|
which will also give you the option of removing the test
|
databases and anonymous user created by default. This is
|
strongly recommended for production servers.
|
|
|
See the MariaDB Knowledgebase at http://mariadb.com/kb or the
|
MySQL manual for more instructions.
|
|
|
You can start the MariaDB daemon with:
|
cd '/usr' ; /usr/bin/mysqld_safe --datadir='/var/lib/mysql'
|
|
|
You can test the MariaDB daemon with mysql-test-run.pl
|
cd '/usr/mysql-test' ; perl mysql-test-run.pl
|
|
|
Please report any problems at http://mariadb.org/jira
|
|
|
The latest information about MariaDB is available at http://mariadb.org/.
|
You can find additional information about the MySQL part at:
|
http://dev.mysql.com
|
Consider joining MariaDB's strong and vibrant community:
|
https://mariadb.org/get-involved/
|
|
|
[ec2-user@ip-172-30-0-58 ~]$ sudo galera_new_cluster
|
[ec2-user@ip-172-30-0-58 ~]$ mysql -u root
|
Welcome to the MariaDB monitor. Commands end with ; or \g.
|
Your MariaDB connection id is 11
|
Server version: 10.2.9-MariaDB-debug-log Source distribution
|
|
|
Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others.
|
|
|
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
|
|
|
MariaDB [(none)]> SELECT * FROM INFORMATION_SCHEMA.INNODB_TABLESPACES_ENCRYPTION \G
|
*************************** 1. row ***************************
|
SPACE: 1
|
NAME: mysql/innodb_table_stats
|
ENCRYPTION_SCHEME: 1
|
KEYSERVER_REQUESTS: 1
|
MIN_KEY_VERSION: 1
|
CURRENT_KEY_VERSION: 1
|
KEY_ROTATION_PAGE_NUMBER: NULL
|
KEY_ROTATION_MAX_PAGE_NUMBER: NULL
|
CURRENT_KEY_ID: 1
|
ROTATING_OR_FLUSHING: 0
|
*************************** 2. row ***************************
|
SPACE: 2
|
NAME: mysql/innodb_index_stats
|
ENCRYPTION_SCHEME: 1
|
KEYSERVER_REQUESTS: 1
|
MIN_KEY_VERSION: 1
|
CURRENT_KEY_VERSION: 1
|
KEY_ROTATION_PAGE_NUMBER: NULL
|
KEY_ROTATION_MAX_PAGE_NUMBER: NULL
|
CURRENT_KEY_ID: 1
|
ROTATING_OR_FLUSHING: 0
|
*************************** 3. row ***************************
|
SPACE: 3
|
NAME: mysql/gtid_slave_pos
|
ENCRYPTION_SCHEME: 1
|
KEYSERVER_REQUESTS: 1
|
MIN_KEY_VERSION: 1
|
CURRENT_KEY_VERSION: 1
|
KEY_ROTATION_PAGE_NUMBER: NULL
|
KEY_ROTATION_MAX_PAGE_NUMBER: NULL
|
CURRENT_KEY_ID: 1
|
ROTATING_OR_FLUSHING: 0
|
3 rows in set (0.00 sec)
|
If I change innodb_encryption_rotate_key_age to the default value of 1 (see also MDEV-14398 about that), then the system tablespace is encrypted in the background the next time mysqld is restarted, which suggests that it probably should have been encrypted from the start.
MariaDB [(none)]> SELECT @@global.innodb_encryption_rotate_key_age;
|
+-------------------------------------------+
|
| @@global.innodb_encryption_rotate_key_age |
|
+-------------------------------------------+
|
| 1 |
|
+-------------------------------------------+
|
1 row in set (0.00 sec)
|
|
|
MariaDB [(none)]> SELECT * FROM INFORMATION_SCHEMA.INNODB_TABLESPACES_ENCRYPTION\G
|
*************************** 1. row ***************************
|
SPACE: 1
|
NAME: mysql/innodb_table_stats
|
ENCRYPTION_SCHEME: 1
|
KEYSERVER_REQUESTS: 1
|
MIN_KEY_VERSION: 1
|
CURRENT_KEY_VERSION: 1
|
KEY_ROTATION_PAGE_NUMBER: NULL
|
KEY_ROTATION_MAX_PAGE_NUMBER: NULL
|
CURRENT_KEY_ID: 1
|
ROTATING_OR_FLUSHING: 0
|
*************************** 2. row ***************************
|
SPACE: 2
|
NAME: mysql/innodb_index_stats
|
ENCRYPTION_SCHEME: 1
|
KEYSERVER_REQUESTS: 1
|
MIN_KEY_VERSION: 1
|
CURRENT_KEY_VERSION: 1
|
KEY_ROTATION_PAGE_NUMBER: NULL
|
KEY_ROTATION_MAX_PAGE_NUMBER: NULL
|
CURRENT_KEY_ID: 1
|
ROTATING_OR_FLUSHING: 0
|
*************************** 3. row ***************************
|
SPACE: 3
|
NAME: mysql/gtid_slave_pos
|
ENCRYPTION_SCHEME: 1
|
KEYSERVER_REQUESTS: 1
|
MIN_KEY_VERSION: 1
|
CURRENT_KEY_VERSION: 1
|
KEY_ROTATION_PAGE_NUMBER: NULL
|
KEY_ROTATION_MAX_PAGE_NUMBER: NULL
|
CURRENT_KEY_ID: 1
|
ROTATING_OR_FLUSHING: 0
|
*************************** 4. row ***************************
|
SPACE: 0
|
NAME: innodb_system
|
ENCRYPTION_SCHEME: 1
|
KEYSERVER_REQUESTS: 1
|
MIN_KEY_VERSION: 1
|
CURRENT_KEY_VERSION: 1
|
KEY_ROTATION_PAGE_NUMBER: NULL
|
KEY_ROTATION_MAX_PAGE_NUMBER: NULL
|
CURRENT_KEY_ID: 1
|
ROTATING_OR_FLUSHING: 0
|
4 rows in set (0.00 sec)
|
Attachments
Issue Links
- relates to
-
MDEV-14157 Improve documentation of data at rest encryption
-
- Closed
-
-
-
- Closed
-
-
-
- Closed
-