Details
-
Bug
-
Status: Open (View Workflow)
-
Minor
-
Resolution: Unresolved
-
10.10.3
-
None
-
Any
Description
The documentation states:
Re-encrypt in background any page having a key older than this number of key versions.
This would normally mean that reencryption would occur for any table for which
MIN_KEY_VERSION + innodb_encryption_rotate_key_age <= CURRENT_KEY_VERSION
Since innodb_encryption_rotate_key_age cannot be 0 when rotation is enabled, "<=" (less equal) is safe. Unfortunately, that's not how it works. The check in the code is using "<" (less):
if (key_version + rotate_key_age < latest_key_version) { return true; }
The outcome is that when
, the tables won't be reencrypted when I update my encryption key once. I must update it twice, which introduces various difficulties to our external key rotation mechanism.innodb_encryption_rotate_key_age = 1
In the following scenario, It's not possible to have my tables encrypted with key version 2:
#config
|
innodb_encrypt_tables = ON
|
innodb_default_encryption_key_id = 1
|
innodb_encryption_rotate_key_age = 1
|
----
|
| NAME | ENCRYPTION_SCHEME | MIN_KEY_VERSION | CURRENT_KEY_VERSION |
|
+----------------------------+-------------------+-----------------+---------------------+
|
| my_db/my_tabl | 1 | 1 | 1 |
|
|
|
# Update Key
|
|
|
| NAME | ENCRYPTION_SCHEME | MIN_KEY_VERSION | CURRENT_KEY_VERSION |
|
+----------------------------+-------------------+-----------------+---------------------+
|
| my_db/my_tabl | 1 | 1 | 2 |
|
|
|
# Update Key
|
|
|
| NAME | ENCRYPTION_SCHEME | MIN_KEY_VERSION | CURRENT_KEY_VERSION |
|
+----------------------------+-------------------+-----------------+---------------------+
|
| my_db/my_tabl | 1 | 3 | 3 |
|