[MDEV-29241] Hashicorp Plugin: Provide Key rotation - Jira

Details

Type: Bug
Status: Stalled (View Workflow)
Priority: Major
Resolution: Unresolved
Affects Version/s: 10.9.1
Fix Version/s: 10.11
Component/s: Encryption, Plugin - Hashicorp Key Management
Labels:
None

Description

The Hashicorp Plugin seems to recognise new encryption keys in vault - but does not rotate them.

Reproduce by:

Install mariadb-server & mariadb-plugin-hashicorp-key-management 10.9.1
Install hashicorp vault, init and unseal vault

create secret engine & set a secret key:

vault secrets enable -path /mariadb -version=2 kv

vault kv put /mariadb/1 data=$(openssl rand -hex 32)

enable encryption by adding the following block to mariadb section in /etc/mysql/mariadb.conf.d/50-server.cnf:

[mariadb]

plugin_load_add = hashicorp_key_management

hashicorp-key-management-vault-url=http://127.0.0.1:8200/v1/mariadb

hashicorp-key-management-token=xxxxxxxxxxxxxxxxx

innodb_encrypt_tables = FORCE

innodb_encrypt_log = ON

innodb_encrypt_temporary_tables = ON

encrypt_tmp_disk_tables = ON

encrypt_tmp_files = ON

encrypt_binlog = ON

aria_encrypt_tables = ON

innodb_encryption_threads = 4

innodb_encryption_rotation_iops = 2000

log_error=server.log

set new key version

vault kv put /mariadb/1 data=$(openssl rand -hex 32)

service mariadb restart

set a new version of the encryption key to vault:

vault kv put /mariadb/1 data=$(openssl rand -hex 32)

information_schema.INNODB_TABLESPACES_ENCRYPTION shows the following content now:

MariaDB [(none)]> select * from information_schema.INNODB_TABLESPACES_ENCRYPTION;

+-------+----------------------------+-------------------+--------------------+-----------------+---------------------+--------------------------+------------------------------+----------------+----------------------+

| SPACE | NAME                       | ENCRYPTION_SCHEME | KEYSERVER_REQUESTS | MIN_KEY_VERSION | CURRENT_KEY_VERSION | KEY_ROTATION_PAGE_NUMBER | KEY_ROTATION_MAX_PAGE_NUMBER | CURRENT_KEY_ID | ROTATING_OR_FLUSHING |

+-------+----------------------------+-------------------+--------------------+-----------------+---------------------+--------------------------+------------------------------+----------------+----------------------+

|     0 | innodb_system              |                 1 |                  1 |               1 |                   2 |                     NULL |                         NULL |              1 |                    0 |

|     1 | mysql/innodb_table_stats   |                 1 |                  1 |               1 |                   2 |                     NULL |                         NULL |              1 |                    0 |

|     2 | mysql/innodb_index_stats   |                 1 |                  1 |               1 |                   2 |                     NULL |                         NULL |              1 |                    0 |

|     4 | mysql/gtid_slave_pos       |                 1 |                  1 |               1 |                   2 |                     NULL |                         NULL |              1 |                    0 |

|     3 | mysql/transaction_registry |                 1 |                  0 |               1 |                   2 |                     NULL |                         NULL |              1 |                    0 |

+-------+----------------------------+-------------------+--------------------+-----------------+---------------------+--------------------------+------------------------------+----------------+----------------------+

5 rows in set (0.008 sec)

CURRENT_KEY_VERSION -> 2
CURRENT_KEY_ID -> 1

there seems to be no possibility to re-encrypt the tables.
In the documentation the Hashicorp Plugin ist not listed as "with-" nor "without Key Rotation Support":
https://mariadb.com/kb/en/encryption-key-management/#support-for-key-rotation-in-encryption-plugins

Attachments

Issue Links

split to

MDEV-30847 Hashicorp Plugin: Provide cache flush for key rotation

Stalled

MDEV-30849 Hashicorp Plugin: enable key version caching by default

Stalled

Activity

Ascending order - Click to sort in descending order

Sergei Golubchik added a comment - 2023-01-06 20:42

sysprg, why is it not possible to re-encrypt the table? As far as I can see from the plugin code, it caches the latest key version, so it might immediately notice that the key was rotated, but the cache expires in cache_version_timeout milliseconds (which is 0 by default, btw). Why the server doesn't notice that the key was rotated in the vault?

Sergei Golubchik added a comment - 2023-01-06 20:42 sysprg , why is it not possible to re-encrypt the table? As far as I can see from the plugin code, it caches the latest key version, so it might immediately notice that the key was rotated, but the cache expires in cache_version_timeout milliseconds (which is 0 by default, btw). Why the server doesn't notice that the key was rotated in the vault?

Sergei Golubchik added a comment - 2023-02-22 16:35

Ok, so the problem is not that it's "not possible to re-encrypt the table". The issue is that hashicorp_key_management plugin caches replies from Hashicorp Vault and these values never expire.

By default the caching is enabled, but cache_version_timeout is zero.

The workaround for the user is to set cache_version_timeout. The fix for MariaDB is to set the default to some meaningful value.

Sergei Golubchik added a comment - 2023-02-22 16:35 Ok, so the problem is not that it's "not possible to re-encrypt the table". The issue is that hashicorp_key_management plugin caches replies from Hashicorp Vault and these values never expire. By default the caching is enabled, but cache_version_timeout is zero. The workaround for the user is to set cache_version_timeout. The fix for MariaDB is to set the default to some meaningful value.

Sebastian added a comment - 2023-03-13 16:23

I'm also interested in the key rotation mechanism of this plugin. The official documentation is not clear if this plugin supports it or not and I'm trying to find it out manually, but an official statement and an example would be highly appreciated.

Sebastian added a comment - 2023-03-13 16:23 I'm also interested in the key rotation mechanism of this plugin. The official documentation is not clear if this plugin supports it or not and I'm trying to find it out manually, but an official statement and an example would be highly appreciated.

Sergei Golubchik added a comment - 2023-03-13 20:18

As far as I understand, the plugin supports key rotation just fine. But if you have enabled key caching (so that the plugin wouldn't need to query Hashicorp Vault all the time) and you have disabled key expiration timeout, then the key will stay forever in the cache and the plugin will not notice that the key was rotated in the Hashicorp Vault until you restart the server.

Key caching is generally a good idea, an infinite timeout is not.

Sergei Golubchik added a comment - 2023-03-13 20:18 As far as I understand, the plugin supports key rotation just fine. But if you have enabled key caching (so that the plugin wouldn't need to query Hashicorp Vault all the time) and you have disabled key expiration timeout, then the key will stay forever in the cache and the plugin will not notice that the key was rotated in the Hashicorp Vault until you restart the server. Key caching is generally a good idea, an infinite timeout is not.

Sebastian added a comment - 2023-03-14 10:33

Indeed I see that when I write a new version of the enc key in Vault, MariaDB sees it if I select data from information_schema.INNODB_TABLESPACES_ENCRYPTION (i.e. Current Key Version corresponds to the latest version in Vault, while Min Key Version is the older one used in encryption). But how do I trigger MariaDB to encrypt the tables using the newer version?

Sebastian added a comment - 2023-03-14 10:33 Indeed I see that when I write a new version of the enc key in Vault, MariaDB sees it if I select data from information_schema.INNODB_TABLESPACES_ENCRYPTION (i.e. Current Key Version corresponds to the latest version in Vault, while Min Key Version is the older one used in encryption). But how do I trigger MariaDB to encrypt the tables using the newer version?

Sergei Golubchik added a comment - 2023-03-14 11:27

It's beyond the hashicorp plugin. Generally it should be explained here: https://mariadb.com/kb/en/innodb-background-encryption-threads/ You'll need innodb_encryption_threads (like the original reporter did) and innodb_encryption_rotate_key_age (which is 1 by default, so, likely, ok).

We're now trying to repeat this issue

Sergei Golubchik added a comment - 2023-03-14 11:27 It's beyond the hashicorp plugin. Generally it should be explained here: https://mariadb.com/kb/en/innodb-background-encryption-threads/ You'll need innodb_encryption_threads (like the original reporter did) and innodb_encryption_rotate_key_age (which is 1 by default, so, likely, ok). We're now trying to repeat this issue

People

Assignee:: Julius Goryavsky

Reporter:: Simon Stier

Votes:: 1 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 2022-08-03 19:53

Updated:: 2023-11-28 10:54

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server