Details
-
Task
-
Status: Open (View Workflow)
-
Major
-
Resolution: Unresolved
-
None
-
None
Description
In version 3.2.1 of the PCI DSS, sections 3.6.4 and 3.6.5 say that applications must have procedures for changing or replacing encryption keys.
https://www.pcisecuritystandards.org/document_library?category=pcidss&document=pci_dss
For encryption of the binary log and the relay log, if an encryption key is rotated, then I believe that existing binary logs and relay logs continue to use the old version of the encryption key. As far as I know, MariaDB does not have any mechanism to re-encrypt binary logs and relay logs with a new encryption key or a new version of an encryption key. This limitation would make it a bit more difficult for our users to satisfy these requirements of the PCI DSS.
Attachments
Issue Links
- relates to
-
-
- Open
-
-
-
- Open
-
Activity
| Field | Original Value | New Value |
|---|---|---|
| Description |
In version 3.2.1 of the PCI DSS, sections 3.6.4 and 3.6.5 say that applications must have procedures for changing or replacing encryption keys.
https://www.pcisecuritystandards.org/document_library?category=pcidss&document=pci_dss For encryption related to the binary log and the relay log, if an encryption key is rotated, then believe that existing binary logs and relay logs continue to use the old version of the encryption key. As far as I know, MariaDB does not have any mechanism to re-encrypt binary logs and relay logs with a new encryption key or a new version of an encryption key. This limitation would make it a bit more difficult for our users to satisfy these requirements of the PCI DSS. |
In version 3.2.1 of the PCI DSS, sections 3.6.4 and 3.6.5 say that applications must have procedures for changing or replacing encryption keys.
https://www.pcisecuritystandards.org/document_library?category=pcidss&document=pci_dss For encryption of the binary log and the relay log, if an encryption key is rotated, then I believe that existing binary logs and relay logs continue to use the old version of the encryption key. As far as I know, MariaDB does not have any mechanism to re-encrypt binary logs and relay logs with a new encryption key or a new version of an encryption key. This limitation would make it a bit more difficult for our users to satisfy these requirements of the PCI DSS. |
| Link | This issue relates to MDEV-20099 [ MDEV-20099 ] |
| Fix Version/s | 10.5 [ 23123 ] |
Yeah, it sounds like a background thread that could re-encrypt existing binlogs would help our customers meet some of these security requirements.
If the background threads could also decrypt existing binlogs when a user wants to disable encryption, then that would be another nice benefit. As far as I know, the only ways to currently decrypt binlogs are:
- Use mysqlbinlog with the --read-from-remote-server option to read the binlogs.
- Configure a slave that does not have encrypt_binlog set to replicate the binlogs.
| Workflow | MariaDB v3 [ 98348 ] | MariaDB v4 [ 131136 ] |
the new binary log file will use a new key though.
do you suggest a background thread to re-encrypt exising binlogs?