Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-20099

Implement key rotation for Aria

Details

    Description

      In version 3.2.1 of the PCI DSS, sections 3.6.4 and 3.6.5 say that applications must have procedures for changing or replacing encryption keys.

      https://www.pcisecuritystandards.org/document_library?category=pcidss&document=pci_dss

      For encryption of Aria tables, if an encryption key is rotated, then I believe that existing encrypted pages continue to use the old version of the encryption key. As far as I know, MariaDB does not have any mechanism to re-encrypt existing Aria pages with a new encryption key or a new version of an encryption key. In order to re-encrypt existing pages, I believe that the table would need to be rebuilt. e.g.:

      ALTER TABLE tab ENGINE=Aria ROW_FORMAT=PAGE;

      This limitation would make it a bit more difficult for our users to satisfy these requirements of the PCI DSS.

      MDEV-18971 would probably need to be implemented before we can implement this.

      Attachments

        Issue Links

          is blocked by

          New Feature - A new feature of the product, which has yet to be developed. MDEV-18971 Add background encryption threads for Aria

          • Major - Major loss of function.
          • Open
          relates to

          Task - A task that needs to be done. MDEV-20098 Implement key rotation for binary log and relay log

          • Major - Major loss of function.
          • Open

          Task - A task that needs to be done. MDEV-8587 Aria log encryption

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Open

          New Feature - A new feature of the product, which has yet to be developed. MDEV-17324 Make information_schema table that shows which Aria tables are encrypted

          • Major - Major loss of function.
          • Open

          New Feature - A new feature of the product, which has yet to be developed. MDEV-18049 Support ENCRYPTED and ENCRYPTION_KEY_ID table options for Aria

          • Major - Major loss of function.
          • Open

          New Feature - A new feature of the product, which has yet to be developed. MDEV-18971 Add background encryption threads for Aria

          • Major - Major loss of function.
          • Open

          Activity

            People

              Unassigned Unassigned
              GeoffMontee Geoff Montee (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.