Details
-
Bug
-
Status: Stalled (View Workflow)
-
Major
-
Resolution: Unresolved
-
10.9.1
-
None
Description
The Hashicorp Plugin seems to recognise new encryption keys in vault - but does not rotate them.
Reproduce by:
- Install mariadb-server & mariadb-plugin-hashicorp-key-management 10.9.1
- Install hashicorp vault, init and unseal vault
- create secret engine & set a secret key:
vault secrets enable -path /mariadb -version=2 kvvault kv put /mariadb/1 data=$(openssl rand -hex 32) - enable encryption by adding the following block to mariadb section in /etc/mysql/mariadb.conf.d/50-server.cnf:
[mariadb]plugin_load_add = hashicorp_key_managementhashicorp-key-management-vault-url=http://127.0.0.1:8200/v1/mariadbhashicorp-key-management-token=xxxxxxxxxxxxxxxxxinnodb_encrypt_tables = FORCEinnodb_encrypt_log = ONinnodb_encrypt_temporary_tables = ONencrypt_tmp_disk_tables = ONencrypt_tmp_files = ONencrypt_binlog = ONaria_encrypt_tables = ONinnodb_encryption_threads = 4innodb_encryption_rotation_iops = 2000log_error=server.log
- set new key version
vault kv put /mariadb/1 data=$(openssl rand -hex 32) - service mariadb restart
- set a new version of the encryption key to vault:
vault kv put /mariadb/1 data=$(openssl rand -hex 32)information_schema.INNODB_TABLESPACES_ENCRYPTION shows the following content now:
MariaDB [(none)]> select * from information_schema.INNODB_TABLESPACES_ENCRYPTION;+-------+----------------------------+-------------------+--------------------+-----------------+---------------------+--------------------------+------------------------------+----------------+----------------------+| SPACE | NAME | ENCRYPTION_SCHEME | KEYSERVER_REQUESTS | MIN_KEY_VERSION | CURRENT_KEY_VERSION | KEY_ROTATION_PAGE_NUMBER | KEY_ROTATION_MAX_PAGE_NUMBER | CURRENT_KEY_ID | ROTATING_OR_FLUSHING |+-------+----------------------------+-------------------+--------------------+-----------------+---------------------+--------------------------+------------------------------+----------------+----------------------+| 0 | innodb_system | 1 | 1 | 1 | 2 | NULL | NULL | 1 | 0 || 1 | mysql/innodb_table_stats | 1 | 1 | 1 | 2 | NULL | NULL | 1 | 0 || 2 | mysql/innodb_index_stats | 1 | 1 | 1 | 2 | NULL | NULL | 1 | 0 || 4 | mysql/gtid_slave_pos | 1 | 1 | 1 | 2 | NULL | NULL | 1 | 0 || 3 | mysql/transaction_registry | 1 | 0 | 1 | 2 | NULL | NULL | 1 | 0 |+-------+----------------------------+-------------------+--------------------+-----------------+---------------------+--------------------------+------------------------------+----------------+----------------------+5 rows in set (0.008 sec)
CURRENT_KEY_VERSION -> 2
CURRENT_KEY_ID -> 1
there seems to be no possibility to re-encrypt the tables.
In the documentation the Hashicorp Plugin ist not listed as "with-" nor "without Key Rotation Support":
https://mariadb.com/kb/en/encryption-key-management/#support-for-key-rotation-in-encryption-plugins
Attachments
Issue Links
- split to
-
MDEV-30847 Hashicorp Plugin: Provide cache flush for key rotation
-
- Stalled
-
-
-
- Stalled
-
Activity
| Field | Original Value | New Value |
|---|---|---|
| Issue Type | Task [ 3 ] | Bug [ 1 ] |
| Affects Version/s | 10.9.1 [ 27114 ] |
| Fix Version/s | 10.9 [ 26905 ] |
| Assignee | Julius Goryavsky [ sysprg ] |
| Priority | Minor [ 4 ] | Major [ 3 ] |
| Status | Open [ 1 ] | In Progress [ 3 ] |
| Component/s | Plugin - Hashicorp Key Management [ 19200 ] |
| Status | In Progress [ 3 ] | Stalled [ 10000 ] |
| Status | Stalled [ 10000 ] | In Progress [ 3 ] |
| Status | In Progress [ 3 ] | Stalled [ 10000 ] |
| Status | Stalled [ 10000 ] | In Progress [ 3 ] |
| Priority | Major [ 3 ] | Critical [ 2 ] |
| Link | This issue causes MENT-1677 [ MENT-1677 ] |
| Priority | Critical [ 2 ] | Minor [ 4 ] |
| Priority | Minor [ 4 ] | Major [ 3 ] |
Ok, so the problem is not that it's "not possible to re-encrypt the table". The issue is that hashicorp_key_management plugin caches replies from Hashicorp Vault and these values never expire.
By default the caching is enabled, but cache_version_timeout is zero.
The workaround for the user is to set cache_version_timeout. The fix for MariaDB is to set the default to some meaningful value.
I'm also interested in the key rotation mechanism of this plugin. The official documentation is not clear if this plugin supports it or not and I'm trying to find it out manually, but an official statement and an example would be highly appreciated.
As far as I understand, the plugin supports key rotation just fine. But if you have enabled key caching (so that the plugin wouldn't need to query Hashicorp Vault all the time) and you have disabled key expiration timeout, then the key will stay forever in the cache and the plugin will not notice that the key was rotated in the Hashicorp Vault until you restart the server.
Key caching is generally a good idea, an infinite timeout is not.
Indeed I see that when I write a new version of the enc key in Vault, MariaDB sees it if I select data from information_schema.INNODB_TABLESPACES_ENCRYPTION (i.e. Current Key Version corresponds to the latest version in Vault, while Min Key Version is the older one used in encryption). But how do I trigger MariaDB to encrypt the tables using the newer version?
It's beyond the hashicorp plugin. Generally it should be explained here: https://mariadb.com/kb/en/innodb-background-encryption-threads/ You'll need innodb_encryption_threads (like the original reporter did) and innodb_encryption_rotate_key_age (which is 1 by default, so, likely, ok).
We're now trying to repeat this issue
| Link | This issue split to MDEV-30847 [ MDEV-30847 ] |
| Link | This issue split to MDEV-30849 [ MDEV-30849 ] |
| Status | In Progress [ 3 ] | Stalled [ 10000 ] |
| Link | This issue blocks MENT-1806 [ MENT-1806 ] |
| Labels | Cloned |
| Labels | Cloned |
| Fix Version/s | 10.11 [ 27614 ] |
| Fix Version/s | 10.9 [ 26905 ] |
sysprg, why is it not possible to re-encrypt the table? As far as I can see from the plugin code, it caches the latest key version, so it might immediately notice that the key was rotated, but the cache expires in cache_version_timeout milliseconds (which is 0 by default, btw). Why the server doesn't notice that the key was rotated in the vault?