Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-16151

MacOS 10.2.14 file key management issue

    Details

      Description

      I've been trying to set-up Key File Management and Encryption for an installation on a MacOS as detailed in this KB: https://mariadb.com/kb/en/library/encryption-key-management/

      However, I get the following error in my error log:

      2018-05-12 15:40:48 140735727108992 [ERROR] mysqld: Syntax error at /etc/mysql/keys.enc line 1, column 3
      2018-05-12 15:40:48 140735727108992 [ERROR] Plugin 'file_key_management' init function returned error.
      2018-05-12 15:40:48 140735727108992 [ERROR] Plugin 'file_key_management' registration as a ENCRYPTION failed.
      2018-05-12 15:40:48 140735727108992 [Note] InnoDB: Mutexes and rw_locks use GCC atomic builtins
      2018-05-12 15:40:48 140735727108992 [Note] InnoDB: Uses event mutexes
      2018-05-12 15:40:48 140735727108992 [Note] InnoDB: Compressed tables use zlib 1.2.11
      2018-05-12 15:40:48 140735727108992 [Note] InnoDB: Number of pools: 1
      2018-05-12 15:40:48 140735727108992 [Note] InnoDB: Using SSE2 crc32 instructions
      2018-05-12 15:40:48 140735727108992 [Note] InnoDB: Initializing buffer pool, total size = 128M, instances = 1, chunk size = 128M
      2018-05-12 15:40:48 140735727108992 [Note] InnoDB: Completed initialization of buffer pool
      2018-05-12 15:40:48 140735727108992 [Note] InnoDB: Highest supported file format is Barracuda.
      2018-05-12 15:40:48 140735727108992 [Note] InnoDB: 128 out of 128 rollback segments are active.
      2018-05-12 15:40:48 140735727108992 [Note] InnoDB: Creating shared tablespace for temporary tables
      2018-05-12 15:40:48 140735727108992 [Note] InnoDB: Setting file './ibtmp1' size to 12 MB. Physically writing the file full; Please wait ...
      2018-05-12 15:40:48 140735727108992 [Note] InnoDB: File './ibtmp1' size is now 12 MB.
      2018-05-12 15:40:48 140735727108992 [Note] InnoDB: Waiting for purge to start
      2018-05-12 15:40:48 140735727108992 [Note] InnoDB: 5.7.21 started; log sequence number 1641829
      2018-05-12 15:40:48 123145503780864 [Note] InnoDB: Loading buffer pool(s) from /usr/local/var/mysql/ib_buffer_pool
      2018-05-12 15:40:48 123145503780864 [Note] InnoDB: Buffer pool(s) load completed at 180512 15:40:48
      2018-05-12 15:40:48 140735727108992 [Note] Plugin 'FEEDBACK' is disabled.
      2018-05-12 15:40:48 140735727108992 [Note] Server socket created on IP: '::'.
      2018-05-12 15:40:48 140735727108992 [Note] Reading of all Master_info entries succeded
      2018-05-12 15:40:48 140735727108992 [Note] Added new Master_info '' to hash table
      2018-05-12 15:40:48 140735727108992 [Note] /usr/local/opt/mariadb/bin/mysqld: ready for connections.
      Version: '10.2.14-MariaDB'  socket: '/tmp/mysql.sock'  port: 3306  Homebrew
      

      MariaDB version

      mysql -V
      mysql  Ver 15.1 Distrib 10.2.14-MariaDB, for osx10.13 (x86_64) using readline 5.1
      

      Files

      • .key contains the plaintext password
      • keys Generated as: openssl rand -hex 16 >> /etc/mysql/keys
      • keys.enc Generated as: openssl enc -aes-256-cbc -md sha1 -k mypassword -in /etc/mysql/keys -out /etc/mysql/keys.enc

      Checked key decrypts

      openssl aes-256-cbc -d -md sha1 -k mypassword -in keys.enc
      64f03bbef774fa3519f0e923f9cac460
      

      Key files

      /etc/mysql/
       
      -rw-r--r--   1 ks27  admin     8 12 May 15:17 .key
      -rw-r--r--   1 ks27  admin    33 12 May 14:36 keys
      -rw-r--r--   1 ks27  admin    64 12 May 15:33 keys.enc
      

      /etc/my.cnf

      [server]
      ssl
      ssl-ca=/etc/mysql/ssl/ca-cert.pem
      ssl-cert=/etc/mysql/ssl/server-cert.pem
      ssl-key=/etc/mysql/ssl/server-key.pem
       
       
      [mysqld]
      # File Key Management
      plugin_load_add=file_key_management
      file_key_management_filename=/etc/mysql/keys.enc
      file_key_management_filekey=FILE:/etc/mysql/.key
      file_key_management_encryption_algorithm=aes_cbc
       
      # InnoDB/XtraDB Encryption
      #innodb_encrypt_tables = ON
      #innodb_encrypt_log = ON
      #innodb_encryption_threads = 8
      #innodb_encryption_rotate_key_age = 5
       
      # encrypt_binlog
       
       
      [mysql]
      ## MySQL Client Configuration ##
      ssl-ca=/etc/mysql/ssl/ca-cert.pem
      ssl-cert=/etc/mysql/ssl/client-cert.pem
      ssl-key=/etc/mysql/ssl/client-key.pem
      ### This option is disabled by default ###
      ### ssl-verify-server-cert ###
       
       
      #
      # This group is read both both by the client and the server
      # use it for options that affect everything
      #
      [client-server]
       
      #
      # include all files from the config directory
      #
      !includedir /usr/local/etc/my.cnf.d
      

      mariadb_config

      mariadb_config 
      Copyright 2011-2015 MariaDB Corporation AB
      Get compiler flags for using the MariaDB Connector/C.
      Usage: mariadb_config [OPTIONS]
        --cflags        [-I/usr/local/Cellar/mariadb/10.2.14/include/mysql -I/usr/local/Cellar/mariadb/10.2.14/include/mysql/mysql]
        --include       [-I/usr/local/Cellar/mariadb/10.2.14/include/mysql -I/usr/local/Cellar/mariadb/10.2.14/include/mysql/mysql]
        --libs          [-L/usr/local/Cellar/mariadb/10.2.14/lib/ -lmariadb -lz -liconv -lssl -lcrypto]
        --libs_r        [-L/usr/local/Cellar/mariadb/10.2.14/lib/ -lmariadb -lz -liconv -lssl -lcrypto]
        --libs_sys      [-lz -liconv -lssl -lcrypto]
        --version       [10.2.14]
        --cc_version    [3.0.4]
        --socket        [/tmp/mysql.sock]
        --port          [3306]
        --plugindir     [/usr/local/Cellar/mariadb/10.2.14/lib/plugin]
        --tlsinfo       [OpenSSL 1.0.2o]
      

      plugins

      ls -la /usr/local/Cellar/mariadb/10.2.14/lib/plugin
      total 27976
      drwxr-xr-x  48 ks27  admin     1536 26 Mar 17:41 .
      drwxr-xr-x  11 ks27  admin      352 26 Mar 17:41 ..
      -r--r--r--   1 ks27  admin    19192 26 Mar 17:41 JavaWrappers.jar
      -r--r--r--   1 ks27  admin     7567 26 Mar 17:41 JdbcInterface.jar
      -r--r--r--   1 ks27  admin     9244 26 Mar 17:41 adt_null.so
      -r--r--r--   1 ks27  admin     8648 26 Mar 17:41 auth_0x0100.so
      -r--r--r--   1 ks27  admin    69516 26 Mar 17:41 auth_ed25519.so
      -r--r--r--   1 ks27  admin    15480 26 Mar 17:41 auth_gssapi.so
      -r--r--r--   1 ks27  admin    13584 26 Mar 17:41 auth_gssapi_client.so
      -r--r--r--   1 ks27  admin    13540 26 Mar 17:41 auth_pam.so
      -r--r--r--   1 ks27  admin     8900 26 Mar 17:41 auth_socket.so
      -r--r--r--   1 ks27  admin     8960 26 Mar 17:41 auth_test_plugin.so
      -r--r--r--   1 ks27  admin    68396 11 May 12:43 client_ed25519.so
      -r--r--r--   1 ks27  admin      227 26 Mar 17:41 daemon_example.ini
      -r--r--r--   1 ks27  admin     8776 26 Mar 17:41 debug_key_management.so
      -r--r--r--   1 ks27  admin     9440 26 Mar 17:41 dialog.so
      -r--r--r--   1 ks27  admin     8704 26 Mar 17:41 dialog_examples.so
      -r--r--r--   1 ks27  admin    13776 26 Mar 17:41 example_key_management.so
      -r--r--r--   1 ks27  admin    20752 26 Mar 17:41 file_key_management.so
      -r--r--r--   1 ks27  admin    53608 26 Mar 17:41 ha_archive.so
      -r--r--r--   1 ks27  admin    26628 26 Mar 17:41 ha_blackhole.so
      -r--r--r--   1 ks27  admin  1025456 26 Mar 17:41 ha_connect.so
      -r--r--r--   1 ks27  admin    27588 26 Mar 17:41 ha_example.so
      -r--r--r--   1 ks27  admin    53944 26 Mar 17:41 ha_federated.so
      -r--r--r--   1 ks27  admin    78228 26 Mar 17:41 ha_federatedx.so
      -r--r--r--   1 ks27  admin  5291956 26 Mar 17:41 ha_mroonga.so
      -r--r--r--   1 ks27  admin  6135712 26 Mar 17:41 ha_rocksdb.so
      -r--r--r--   1 ks27  admin    93764 26 Mar 17:41 ha_sphinx.so
      -r--r--r--   1 ks27  admin   728264 26 Mar 17:41 ha_spider.so
      -r--r--r--   1 ks27  admin    25016 26 Mar 17:41 ha_test_sql_discovery.so
      -r--r--r--   1 ks27  admin   109996 26 Mar 17:41 handlersocket.so
      -r--r--r--   1 ks27  admin    14040 26 Mar 17:41 libdaemon_example.so
      -r--r--r--   1 ks27  admin    13192 26 Mar 17:41 locales.so
      -r--r--r--   1 ks27  admin    13724 26 Mar 17:41 metadata_lock_info.so
      -r--r--r--   1 ks27  admin     9300 26 Mar 17:41 mypluglib.so
      -r--r--r--   1 ks27  admin     8480 26 Mar 17:41 mysql_clear_password.so
      -r--r--r--   1 ks27  admin     8472 26 Mar 17:41 qa_auth_client.so
      -r--r--r--   1 ks27  admin     8880 26 Mar 17:41 qa_auth_interface.so
      -r--r--r--   1 ks27  admin     8648 26 Mar 17:41 qa_auth_server.so
      -r--r--r--   1 ks27  admin    13952 26 Mar 17:41 query_cache_info.so
      -r--r--r--   1 ks27  admin    14792 26 Mar 17:41 query_response_time.so
      -r--r--r--   1 ks27  admin    37024 26 Mar 17:41 semisync_master.so
      -r--r--r--   1 ks27  admin    16360 26 Mar 17:41 semisync_slave.so
      -r--r--r--   1 ks27  admin    41872 26 Mar 17:41 server_audit.so
      -r--r--r--   1 ks27  admin    13644 11 May 12:43 sha256_password.so
      -r--r--r--   1 ks27  admin     9196 26 Mar 17:41 simple_password_check.so
      -r--r--r--   1 ks27  admin     9348 26 Mar 17:41 sql_errlog.so
      -r--r--r--   1 ks27  admin    14044 26 Mar 17:41 wsrep_info.so
      

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              treadmill Kevin Smith
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: