Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-20099

Implement key rotation for Aria

    XMLWordPrintable

    Details

      Description

      In version 3.2.1 of the PCI DSS, sections 3.6.4 and 3.6.5 say that applications must have procedures for changing or replacing encryption keys.

      https://www.pcisecuritystandards.org/document_library?category=pcidss&document=pci_dss

      For encryption of Aria tables, if an encryption key is rotated, then I believe that existing encrypted pages continue to use the old version of the encryption key. As far as I know, MariaDB does not have any mechanism to re-encrypt existing Aria pages with a new encryption key or a new version of an encryption key. In order to re-encrypt existing pages, I believe that the table would need to be rebuilt. e.g.:

      ALTER TABLE tab ENGINE=Aria ROW_FORMAT=PAGE;
      

      This limitation would make it a bit more difficult for our users to satisfy these requirements of the PCI DSS.

      MDEV-18971 would probably need to be implemented before we can implement this.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              GeoffMontee Geoff Montee
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:

                  Git Integration