Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-20098

Implement key rotation for binary log and relay log

    XMLWordPrintable

Details

    Description

      In version 3.2.1 of the PCI DSS, sections 3.6.4 and 3.6.5 say that applications must have procedures for changing or replacing encryption keys.

      https://www.pcisecuritystandards.org/document_library?category=pcidss&document=pci_dss

      For encryption of the binary log and the relay log, if an encryption key is rotated, then I believe that existing binary logs and relay logs continue to use the old version of the encryption key. As far as I know, MariaDB does not have any mechanism to re-encrypt binary logs and relay logs with a new encryption key or a new version of an encryption key. This limitation would make it a bit more difficult for our users to satisfy these requirements of the PCI DSS.

      Attachments

        Issue Links

          relates to

          Task - A task that needs to be done. MDEV-8813 Allow mysqlbinlog read encrypted binary logs

          • Major - Major loss of function.
          • Open

          Task - A task that needs to be done. MDEV-20099 Implement key rotation for Aria

          • Major - Major loss of function.
          • Open

          Activity

            People

              Elkin Andrei Elkin
              GeoffMontee Geoff Montee (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.