[MDEV-20099] Implement key rotation for Aria - Jira

XML

Word

Printable

Details

Type: Task
Status: Open (View Workflow)
Priority: Major
Resolution: Unresolved
Fix Version/s: None
Component/s: Encryption, Storage Engine - Aria
Labels:
None

Description

In version 3.2.1 of the PCI DSS, sections 3.6.4 and 3.6.5 say that applications must have procedures for changing or replacing encryption keys.

https://www.pcisecuritystandards.org/document_library?category=pcidss&document=pci_dss

For encryption of Aria tables, if an encryption key is rotated, then I believe that existing encrypted pages continue to use the old version of the encryption key. As far as I know, MariaDB does not have any mechanism to re-encrypt existing Aria pages with a new encryption key or a new version of an encryption key. In order to re-encrypt existing pages, I believe that the table would need to be rebuilt. e.g.:

ALTER TABLE tab ENGINE=Aria ROW_FORMAT=PAGE;

This limitation would make it a bit more difficult for our users to satisfy these requirements of the PCI DSS.

MDEV-18971 would probably need to be implemented before we can implement this.

Attachments

Issue Links

is blocked by

MDEV-18971 Add background encryption threads for Aria

Open

relates to

MDEV-20098 Implement key rotation for binary log and relay log

Open

MDEV-8587 Aria log encryption

Open

MDEV-17324 Make information_schema table that shows which Aria tables are encrypted

Open

MDEV-18049 Support ENCRYPTED and ENCRYPTION_KEY_ID table options for Aria

Open

MDEV-18971 Add background encryption threads for Aria

Open

(1 relates to)

Activity

People

Assignee:: Unassigned

Reporter:: Geoff Montee (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 2019-07-19 01:30

Updated:: 2023-08-01 16:26

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.