Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-20098

Implement key rotation for binary log and relay log

Details

    Description

      In version 3.2.1 of the PCI DSS, sections 3.6.4 and 3.6.5 say that applications must have procedures for changing or replacing encryption keys.

      https://www.pcisecuritystandards.org/document_library?category=pcidss&document=pci_dss

      For encryption of the binary log and the relay log, if an encryption key is rotated, then I believe that existing binary logs and relay logs continue to use the old version of the encryption key. As far as I know, MariaDB does not have any mechanism to re-encrypt binary logs and relay logs with a new encryption key or a new version of an encryption key. This limitation would make it a bit more difficult for our users to satisfy these requirements of the PCI DSS.

      Attachments

        Issue Links

          relates to

          Task - A task that needs to be done. MDEV-8813 Allow mysqlbinlog read encrypted binary logs

          • Major - Major loss of function.
          • Open

          Task - A task that needs to be done. MDEV-20099 Implement key rotation for Aria

          • Major - Major loss of function.
          • Open

          Activity

            Ascending order - Click to sort in descending order
            serg Sergei Golubchik added a comment -

            the new binary log file will use a new key though.

            do you suggest a background thread to re-encrypt exising binlogs?

            serg Sergei Golubchik added a comment - the new binary log file will use a new key though. do you suggest a background thread to re-encrypt exising binlogs?
            GeoffMontee Geoff Montee (Inactive) added a comment -

            Yeah, it sounds like a background thread that could re-encrypt existing binlogs would help our customers meet some of these security requirements.

            If the background threads could also decrypt existing binlogs when a user wants to disable encryption, then that would be another nice benefit. As far as I know, the only ways to currently decrypt binlogs are:

            • Use mysqlbinlog with the --read-from-remote-server option to read the binlogs.
            • Configure a slave that does not have encrypt_binlog set to replicate the binlogs.
            GeoffMontee Geoff Montee (Inactive) added a comment - Yeah, it sounds like a background thread that could re-encrypt existing binlogs would help our customers meet some of these security requirements. If the background threads could also decrypt existing binlogs when a user wants to disable encryption, then that would be another nice benefit. As far as I know, the only ways to currently decrypt binlogs are: Use mysqlbinlog with the --read-from-remote-server option to read the binlogs. Configure a slave that does not have encrypt_binlog set to replicate the binlogs.

            People

              Elkin Andrei Elkin
              GeoffMontee Geoff Montee (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.