Details
-
Bug
-
Status: Stalled (View Workflow)
-
Major
-
Resolution: Unresolved
-
10.9.1
-
None
Description
The Hashicorp Plugin seems to recognise new encryption keys in vault - but does not rotate them.
Reproduce by:
- Install mariadb-server & mariadb-plugin-hashicorp-key-management 10.9.1
- Install hashicorp vault, init and unseal vault
- create secret engine & set a secret key:
vault secrets enable -path /mariadb -version=2 kvvault kv put /mariadb/1 data=$(openssl rand -hex 32) - enable encryption by adding the following block to mariadb section in /etc/mysql/mariadb.conf.d/50-server.cnf:
[mariadb]plugin_load_add = hashicorp_key_managementhashicorp-key-management-vault-url=http://127.0.0.1:8200/v1/mariadbhashicorp-key-management-token=xxxxxxxxxxxxxxxxxinnodb_encrypt_tables = FORCEinnodb_encrypt_log = ONinnodb_encrypt_temporary_tables = ONencrypt_tmp_disk_tables = ONencrypt_tmp_files = ONencrypt_binlog = ONaria_encrypt_tables = ONinnodb_encryption_threads = 4innodb_encryption_rotation_iops = 2000log_error=server.log
- set new key version
vault kv put /mariadb/1 data=$(openssl rand -hex 32) - service mariadb restart
- set a new version of the encryption key to vault:
vault kv put /mariadb/1 data=$(openssl rand -hex 32)information_schema.INNODB_TABLESPACES_ENCRYPTION shows the following content now:
MariaDB [(none)]> select * from information_schema.INNODB_TABLESPACES_ENCRYPTION;+-------+----------------------------+-------------------+--------------------+-----------------+---------------------+--------------------------+------------------------------+----------------+----------------------+| SPACE | NAME | ENCRYPTION_SCHEME | KEYSERVER_REQUESTS | MIN_KEY_VERSION | CURRENT_KEY_VERSION | KEY_ROTATION_PAGE_NUMBER | KEY_ROTATION_MAX_PAGE_NUMBER | CURRENT_KEY_ID | ROTATING_OR_FLUSHING |+-------+----------------------------+-------------------+--------------------+-----------------+---------------------+--------------------------+------------------------------+----------------+----------------------+| 0 | innodb_system | 1 | 1 | 1 | 2 | NULL | NULL | 1 | 0 || 1 | mysql/innodb_table_stats | 1 | 1 | 1 | 2 | NULL | NULL | 1 | 0 || 2 | mysql/innodb_index_stats | 1 | 1 | 1 | 2 | NULL | NULL | 1 | 0 || 4 | mysql/gtid_slave_pos | 1 | 1 | 1 | 2 | NULL | NULL | 1 | 0 || 3 | mysql/transaction_registry | 1 | 0 | 1 | 2 | NULL | NULL | 1 | 0 |+-------+----------------------------+-------------------+--------------------+-----------------+---------------------+--------------------------+------------------------------+----------------+----------------------+5 rows in set (0.008 sec)
CURRENT_KEY_VERSION -> 2
CURRENT_KEY_ID -> 1
there seems to be no possibility to re-encrypt the tables.
In the documentation the Hashicorp Plugin ist not listed as "with-" nor "without Key Rotation Support":
https://mariadb.com/kb/en/encryption-key-management/#support-for-key-rotation-in-encryption-plugins
Attachments
Issue Links
- split to
-
MDEV-30847 Hashicorp Plugin: Provide cache flush for key rotation
-
- Stalled
-
-
-
- Stalled
-