Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-28279

Hashicorp: Cannot migrate hexadecimal keys from file key management

    XMLWordPrintable

    Details

      Description

      If a key contains A-F (that is, not just decimal digits), it seems to be incompatible between file key management plugin and hashicorp plugin: if the key is used for encrypting a table while it was stored by one plugin, it cannot decrypt the table when it is stored by the other plugin, and vice versa.

      If the key only contains decimal digits, it works transparently.

      I am not sure whether it's a hashicorp issue, or file key management, or neither, but at least it doesn't seem to be storage engine specific, both InnoDB and Aria tables behave the same way.

      In the test case below, the key stored by both plugins is 0123456789012345678901234567890A.
      First, the server is running with file key management plugin, and an encrypted InnoDB table t1 is created. Then the server is restarted with hashicorp plugin, and the server cannot read t1 table anymore (returns ER_TABLE_CORRUPT or alike), but it can create another encrypted table, t2. Then the server is restarted with file key management again, and it is again able to read t1 table, but not t2.

      If all the same is done with 01234567890123456789012345678901 key instead (only the last symbol changed from A to 1), everything works, the tables remain readable.

      # The test presumes that the local vault is running at $VAULT_ADDR,
      # and the token is configured in $VAULT_TOKEN
       
      --source include/have_innodb.inc
       
      --let $my_key= 0123456789012345678901234567890A
       
      --exec echo "1;$my_key" > $MYSQL_TMP_DIR/mykeys.txt
       
      --let $restart_parameters= --plugin-load-add=file_key_management --file-key-management-filename=$MYSQL_TMP_DIR/mykeys.txt
      --source include/restart_mysqld.inc
       
      CREATE TABLE t1 (a VARCHAR(8)) ENGINE=InnoDB ENCRYPTED=YES ENCRYPTION_KEY_ID=1;
      INSERT INTO t1 VALUES ('foo'),('bar');
      SELECT * FROM t1;
       
      --exec vault secrets disable bug
      --exec vault secrets enable -path /bug -version=2 kv
      --exec vault kv put /bug/1 data=$my_key > /dev/null
       
      --let $restart_parameters= --plugin-load-add=hashicorp_key_management --hashicorp-key-management-vault-url="$VAULT_ADDR/v1/bug/" --hashicorp-key-management-token="$VAULT_TOKEN"
       
      --source include/restart_mysqld.inc
       
      CREATE TABLE t2 (a VARCHAR(8)) ENGINE=InnoDB ENCRYPTED=YES ENCRYPTION_KEY_ID=1;
      INSERT INTO t2 VALUES ('baz'),('qux');
      SELECT * FROM t2;
       
      --echo #
      --echo # This should not fail, but it does
      --echo #
      --error 0,1932,1877
      SELECT * FROM t1;
      SHOW WARNINGS;
       
      --let $restart_parameters= --plugin-load-add=file_key_management --file-key-management-filename=$MYSQL_TMP_DIR/mykeys.txt
      --source include/restart_mysqld.inc
       
      SELECT * FROM t1;
       
      --echo #
      --echo # This should not fail, but it does
      --echo #
      --error 0,1932,1877
      SELECT * FROM t2;
      SHOW WARNINGS;
       
      # Cleanup
      DROP TABLE t1, t2;
      --exec vault secrets disable bug
      

      preview-10.9-MDEV-20119-misc e62a2a0615

      CREATE TABLE t2 (a VARCHAR(8)) ENGINE=InnoDB ENCRYPTED=YES ENCRYPTION_KEY_ID=1;
      INSERT INTO t2 VALUES ('baz'),('qux');
      SELECT * FROM t2;
      a
      baz
      qux
      #
      # This should not fail, but it does
      #
      SELECT * FROM t1;
      SHOW WARNINGS;
      Level	Code	Message
      Error	1877	Table test/t1 is corrupted. Please drop the table and recreate.
      # restart: --plugin-load-add=file_key_management --file-key-management-filename=MYSQLTEST_VARDIR/tmp/mykeys.txt
      SELECT * FROM t1;
      a
      foo
      bar
      #
      # This should not fail, but it does
      #
      SELECT * FROM t2;
      SHOW WARNINGS;
      Level	Code	Message
      Error	1877	Table test/t2 is corrupted. Please drop the table and recreate.
      

      2022-04-10 19:42:07 0 [ERROR] InnoDB: Cannot decrypt [page id: space=5, page number=3]
      <...>
      2022-04-10 19:42:08 3 [ERROR] mariadbd: Table test/t1 is corrupted. Please drop the table and recreate.
      2022-04-10 19:42:09 0 [ERROR] InnoDB: Cannot decrypt [page id: space=6, page number=3]
      <...>
      2022-04-10 19:42:09 3 [ERROR] mariadbd: Table test/t2 is corrupted. Please drop the table and recreate.
      

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              sysprg Julius Goryavsky
              Reporter:
              elenst Elena Stepanova
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.