Details
-
Bug
-
Status: Closed (View Workflow)
-
Critical
-
Resolution: Fixed
-
N/A
Description
If a key contains A-F (that is, not just decimal digits), it seems to be incompatible between file key management plugin and hashicorp plugin: if the key is used for encrypting a table while it was stored by one plugin, it cannot decrypt the table when it is stored by the other plugin, and vice versa.
If the key only contains decimal digits, it works transparently.
I am not sure whether it's a hashicorp issue, or file key management, or neither, but at least it doesn't seem to be storage engine specific, both InnoDB and Aria tables behave the same way.
In the test case below, the key stored by both plugins is 0123456789012345678901234567890A.
First, the server is running with file key management plugin, and an encrypted InnoDB table t1 is created. Then the server is restarted with hashicorp plugin, and the server cannot read t1 table anymore (returns ER_TABLE_CORRUPT or alike), but it can create another encrypted table, t2. Then the server is restarted with file key management again, and it is again able to read t1 table, but not t2.
If all the same is done with 01234567890123456789012345678901 key instead (only the last symbol changed from A to 1), everything works, the tables remain readable.
# The test presumes that the local vault is running at $VAULT_ADDR, |
# and the token is configured in $VAULT_TOKEN |
|
|
--source include/have_innodb.inc
|
|
|
--let $my_key= 0123456789012345678901234567890A
|
|
|
--exec echo "1;$my_key" > $MYSQL_TMP_DIR/mykeys.txt
|
|
|
--let $restart_parameters= --plugin-load-add=file_key_management --file-key-management-filename=$MYSQL_TMP_DIR/mykeys.txt
|
--source include/restart_mysqld.inc
|
|
|
CREATE TABLE t1 (a VARCHAR(8)) ENGINE=InnoDB ENCRYPTED=YES ENCRYPTION_KEY_ID=1; |
INSERT INTO t1 VALUES ('foo'),('bar'); |
SELECT * FROM t1; |
|
|
--exec vault secrets disable bug
|
--exec vault secrets enable -path /bug -version=2 kv
|
--exec vault kv put /bug/1 data=$my_key > /dev/null
|
|
|
--let $restart_parameters= --plugin-load-add=hashicorp_key_management --hashicorp-key-management-vault-url="$VAULT_ADDR/v1/bug/" --hashicorp-key-management-token="$VAULT_TOKEN"
|
|
|
--source include/restart_mysqld.inc
|
|
|
CREATE TABLE t2 (a VARCHAR(8)) ENGINE=InnoDB ENCRYPTED=YES ENCRYPTION_KEY_ID=1; |
INSERT INTO t2 VALUES ('baz'),('qux'); |
SELECT * FROM t2; |
|
|
--echo #
|
--echo # This should not fail, but it does
|
--echo #
|
--error 0,1932,1877
|
SELECT * FROM t1; |
SHOW WARNINGS;
|
|
|
--let $restart_parameters= --plugin-load-add=file_key_management --file-key-management-filename=$MYSQL_TMP_DIR/mykeys.txt
|
--source include/restart_mysqld.inc
|
|
|
SELECT * FROM t1; |
|
|
--echo #
|
--echo # This should not fail, but it does
|
--echo #
|
--error 0,1932,1877
|
SELECT * FROM t2; |
SHOW WARNINGS;
|
|
|
# Cleanup
|
DROP TABLE t1, t2; |
--exec vault secrets disable bug |
|
preview-10.9-MDEV-20119-misc e62a2a0615 |
CREATE TABLE t2 (a VARCHAR(8)) ENGINE=InnoDB ENCRYPTED=YES ENCRYPTION_KEY_ID=1; |
INSERT INTO t2 VALUES ('baz'),('qux'); |
SELECT * FROM t2; |
a
|
baz
|
qux
|
#
|
# This should not fail, but it does |
#
|
SELECT * FROM t1; |
SHOW WARNINGS;
|
Level Code Message |
Error 1877 Table test/t1 is corrupted. Please drop the table and recreate. |
# restart: --plugin-load-add=file_key_management --file-key-management-filename=MYSQLTEST_VARDIR/tmp/mykeys.txt |
SELECT * FROM t1; |
a
|
foo
|
bar
|
#
|
# This should not fail, but it does |
#
|
SELECT * FROM t2; |
SHOW WARNINGS;
|
Level Code Message |
Error 1877 Table test/t2 is corrupted. Please drop the table and recreate. |
2022-04-10 19:42:07 0 [ERROR] InnoDB: Cannot decrypt [page id: space=5, page number=3]
|
<...>
|
2022-04-10 19:42:08 3 [ERROR] mariadbd: Table test/t1 is corrupted. Please drop the table and recreate.
|
2022-04-10 19:42:09 0 [ERROR] InnoDB: Cannot decrypt [page id: space=6, page number=3]
|
<...>
|
2022-04-10 19:42:09 3 [ERROR] mariadbd: Table test/t2 is corrupted. Please drop the table and recreate.
|
Attachments
Issue Links
- blocks
-
MDEV-19281 Vault Key Management Plugin
-
- Closed
-
- relates to
-
-
- Closed
-