When encryption at rest is enabled, actively updated InnoDB tables are not stored encrypted when creating backups with mariabackup --backup as evidenced by the following failure when trying to restore a single database and running `ALTER TABLE <table> IMPORT TABLESPACE;`:
ERROR 1296 (HY000) at line 1: Got error 192 'Table encrypted but decryption failed. This could be because correct encryption management plugin is not loaded, used encryption key is not available or encryption method does not match.' from InnoDB
We have not modified /etc/my.cnf.d/enable_encryption.cnf and /etc/my.cnf has the following in the [mariadb] section:
plugin_load_add = file_key_management
loose_file_key_management_filename = /etc/mysql/encryption/keyfile
loose_file_key_management_filename = /etc/mysql/encryption/keyfile.enc
loose_file_key_management_filekey = FILE:/etc/mysql/encryption/keyfile.key
innodb_encrypt_tables = ON
innodb_encrypt_temporary_tables = ON
innodb_encrypt_log = ON
innodb_encryption_threads = 4
The `ALTER TABLE [table] IMPORT TABLESPACE;` fails if a table was actively being updated when the backup was created. We have verified that the .idb file contains a mix of encrypted and unencypted data by using the Linux strings command.
Background on how it was reproduced:
I have 3 VMs: dbase01-dev, dbase02-dev, and dbase03-dev. All have encryption at rest enabled. dbase01-dev is the master and dbase02-dev and dbase03-dev are slaves. I'll call the database production instead of its actual name. Not sure if it's relevant but on the slave where backups are being created the /etc/my.cnf file has replicate_do_db=production and binlog_do_db=production. On dbase01-dev, I put 10 insert statements into a SQL file and created a bash script that imports the sql file via `mariadb production < import.sql`. Said bash script was then run via `watch import.sh` and left running for a while. `SHOW SLAVE STATUS` showed that it was keeping up with the master. On dbase03-dev, I ran the backup and prepare commands. At this point, strings ${RESTORE_DIR}/base/production/active_table.ibd shows a mix of encrypted and unencrypted data.
Based on this description, I would first guess that the encryption was not properly enabled when mariadb-backup was run. I believe that thanks to some format changes related to MDEV-14425 and MDEV-19534, mariadb-backup --backup should be able to succeed even when no encryption has been configured and the data and log files are encrypted. In the MDEV-14425ib_logfile0 format, page numbers or file names are never encrypted; only the log record payload is. In the innodb_checksum_algorithm=full_crc32 format, page checksums are calculated after encryption.
When it comes to mariadb-backup --prepare, the log record payload as well as the contents of the pages would be interpreted as garbage if the encryption parameters are incorrect. Applying the log might appear to succeed, but I have some doubts. Especially the application of the MDEV-21724INSERT operations includes rather extensive consistency checks, and therefore I would expect some errors to be reported.
Could you please write a script that reproduces this problem and shows the exact steps that are needed for reproducing this? I checked our regression test mariabackup.incremental_encrypted, and it is invoking mariadb-backup in a similar way, with no additional parameters related to encryption. It is also using the file_key_management encryption plugin. What it is missing is an INSERT running concurrently with backup, and any use of ALTER TABLE…IMPORT TABLESPACE.
Marko Mäkelä
added a comment - Based on this description, I would first guess that the encryption was not properly enabled when mariadb-backup was run. I believe that thanks to some format changes related to MDEV-14425 and MDEV-19534 , mariadb-backup --backup should be able to succeed even when no encryption has been configured and the data and log files are encrypted. In the MDEV-14425 ib_logfile0 format, page numbers or file names are never encrypted; only the log record payload is. In the innodb_checksum_algorithm=full_crc32 format, page checksums are calculated after encryption.
When it comes to mariadb-backup --prepare , the log record payload as well as the contents of the pages would be interpreted as garbage if the encryption parameters are incorrect. Applying the log might appear to succeed, but I have some doubts. Especially the application of the MDEV-21724 INSERT operations includes rather extensive consistency checks, and therefore I would expect some errors to be reported.
Could you please write a script that reproduces this problem and shows the exact steps that are needed for reproducing this? I checked our regression test mariabackup.incremental_encrypted , and it is invoking mariadb-backup in a similar way, with no additional parameters related to encryption. It is also using the file_key_management encryption plugin. What it is missing is an INSERT running concurrently with backup, and any use of ALTER TABLE…IMPORT TABLESPACE .
Import tablespace: mariadb mdev_33334_testing -e 'ALTER TABLE test IMPORT TABLESPACE'
ERROR 1296 (HY000) at line 1: Got error 192'Table encrypted but decryption failed. This could be because correct encryption management plugin is not loaded, used encryption key is not available or encryption method does not match.' from InnoDB
[root@dbase01-dev mdev-33334-testing]#
Matthew Musgrove
added a comment - - edited Scp the attached tarball to /tmp on the test system and then SSH into said system.
cd /tmp
tar -zxvf mdev-33334-testing.tgz
cd mdev-33334-testing
. /start_testing .sh
After running the strings command, you'll be prompted to press any key to continue on to the restore.
Tail end of the output from my last test run:
Iran into a problem with restoring databecause it was a mix of encrypted and decrypted data%
Icreated a ticket with MariaDBso they would be aware of the problem'"
somebodysaid I should create a test scriptso they can try to recreate the problem'!
Icreated a test database and tableso they can try to recreate the problem')
Icreated a sql file to do multiple insertsso they can try to recreate the problem' 3
Icreated a bash script that loads the sql repeatedlyso they can try to recreate the problem';
Icreated a bash script that creates a backup and prepares itso they can try to recreate the problem' 0
Icreated a bash script checks the prepared backupso they can try to recreate the problem
G&s
Press any key to continue on to restore
Continue? Discard tablespace: mariadb mdev_33334_testing -e 'ALTER TABLE test DISCARD TABLESPACE'
Copy files: rsync -ogrvt /tmp //backup/restore-prep/mdev_33334_testing/test.* /var/lib/mysql/mdev_33334_testing/
sending incremental file list
test.cfg
test.frm
test.ibd
sent 17 , 832 , 263 bytes received 73 bytes 35 , 664 , 672.00 bytes/sec
total size is 17 , 827 , 685 speedup is 1.00
Correct ownership: chown mysql.mysql -R /var/lib/mysql/mdev_33334_testing/
Import tablespace: mariadb mdev_33334_testing -e 'ALTER TABLE test IMPORT TABLESPACE'
ERROR 1296 (HY000) at line 1 : Got error 192 'Table encrypted but decryption failed. This could be because correct encryption management plugin is not loaded, used encryption key is not available or encryption method does not match.' from InnoDB
[root @dbase01 -dev mdev- 33334 -testing]#
Thank you, thiru! So, the server parameter innodb_encrypt_tables=ON is not being correctly handled by mariadb-backup.
Marko Mäkelä
added a comment - Thank you, thiru ! So, the server parameter innodb_encrypt_tables=ON is not being correctly handled by mariadb-backup .
I had forgotten that I had analyzed the root cause of MDEV-33438 (which we reproduced internally) some time earlier. This seems to be the same bug.
Marko Mäkelä
added a comment - I had forgotten that I had analyzed the root cause of MDEV-33438 (which we reproduced internally) some time earlier. This seems to be the same bug.
People
Thirunarayanan Balathandayuthapani
Matthew Musgrove
Votes:
0Vote for this issue
Watchers:
3Start watching this issue
Dates
Created:
Updated:
Resolved:
Git Integration
Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.
{"report":{"fcp":2336.6000003814697,"ttfb":685.4000000953674,"pageVisibility":"visible","entityId":127456,"key":"jira.project.issue.view-issue","isInitial":true,"threshold":1000,"elementTimings":{},"userDeviceMemory":8,"userDeviceProcessors":32,"apdex":0.5,"journeyId":"98b6aa81-16cd-4ebd-86bb-eb9e0b4f2e25","navigationType":0,"readyForUser":2461.5,"redirectCount":0,"resourceLoadedEnd":1993.6000003814697,"resourceLoadedStart":812,"resourceTiming":[{"duration":294.30000019073486,"initiatorType":"link","name":"https://jira.mariadb.org/s/2c21342762a6a02add1c328bed317ffd-CDN/lu2cib/820016/12ta74/0a8bac35585be7fc6c9cc5a0464cd4cf/_/download/contextbatch/css/_super/batch.css","startTime":812,"connectEnd":0,"connectStart":0,"domainLookupEnd":0,"domainLookupStart":0,"fetchStart":812,"redirectEnd":0,"redirectStart":0,"requestStart":0,"responseEnd":1106.3000001907349,"responseStart":0,"secureConnectionStart":0},{"duration":297.30000019073486,"initiatorType":"link","name":"https://jira.mariadb.org/s/7ebd35e77e471bc30ff0eba799ebc151-CDN/lu2cib/820016/12ta74/494e4c556ecbb29f90a3d3b4f09cb99c/_/download/contextbatch/css/jira.browse.project,project.issue.navigator,jira.view.issue,jira.general,jira.global,atl.general,-_super/batch.css?agile_global_admin_condition=true&jag=true&jira.create.linked.issue=true&slack-enabled=true&whisper-enabled=true","startTime":812.3000001907349,"connectEnd":0,"connectStart":0,"domainLookupEnd":0,"domainLookupStart":0,"fetchStart":812.3000001907349,"redirectEnd":0,"redirectStart":0,"requestStart":0,"responseEnd":1109.6000003814697,"responseStart":0,"secureConnectionStart":0},{"duration":876.7000002861023,"initiatorType":"script","name":"https://jira.mariadb.org/s/0917945aaa57108d00c5076fea35e069-CDN/lu2cib/820016/12ta74/0a8bac35585be7fc6c9cc5a0464cd4cf/_/download/contextbatch/js/_super/batch.js?locale=en","startTime":812.5,"connectEnd":812.5,"connectStart":812.5,"domainLookupEnd":812.5,"domainLookupStart":812.5,"fetchStart":812.5,"redirectEnd":0,"redirectStart":0,"requestStart":1223.7000002861023,"responseEnd":1689.2000002861023,"responseStart":1294.5,"secureConnectionStart":812.5},{"duration":1180.9000000953674,"initiatorType":"script","name":"https://jira.mariadb.org/s/2d8175ec2fa4c816e8023260bd8c1786-CDN/lu2cib/820016/12ta74/494e4c556ecbb29f90a3d3b4f09cb99c/_/download/contextbatch/js/jira.browse.project,project.issue.navigator,jira.view.issue,jira.general,jira.global,atl.general,-_super/batch.js?agile_global_admin_condition=true&jag=true&jira.create.linked.issue=true&locale=en&slack-enabled=true&whisper-enabled=true","startTime":812.7000002861023,"connectEnd":812.7000002861023,"connectStart":812.7000002861023,"domainLookupEnd":812.7000002861023,"domainLookupStart":812.7000002861023,"fetchStart":812.7000002861023,"redirectEnd":0,"redirectStart":0,"requestStart":1223.5,"responseEnd":1993.6000003814697,"responseStart":1312.6000003814697,"secureConnectionStart":812.7000002861023},{"duration":532.7000002861023,"initiatorType":"script","name":"https://jira.mariadb.org/s/a9324d6758d385eb45c462685ad88f1d-CDN/lu2cib/820016/12ta74/c92c0caa9a024ae85b0ebdbed7fb4bd7/_/download/contextbatch/js/atl.global,-_super/batch.js?locale=en","startTime":812.9000000953674,"connectEnd":812.9000000953674,"connectStart":812.9000000953674,"domainLookupEnd":812.9000000953674,"domainLookupStart":812.9000000953674,"fetchStart":812.9000000953674,"redirectEnd":0,"redirectStart":0,"requestStart":1223.8000001907349,"responseEnd":1345.6000003814697,"responseStart":1314.4000000953674,"secureConnectionStart":812.9000000953674},{"duration":533.0999999046326,"initiatorType":"script","name":"https://jira.mariadb.org/s/d41d8cd98f00b204e9800998ecf8427e-CDN/lu2cib/820016/12ta74/1.0/_/download/batch/jira.webresources:calendar-en/jira.webresources:calendar-en.js","startTime":813.1000003814697,"connectEnd":813.1000003814697,"connectStart":813.1000003814697,"domainLookupEnd":813.1000003814697,"domainLookupStart":813.1000003814697,"fetchStart":813.1000003814697,"redirectEnd":0,"redirectStart":0,"requestStart":1224,"responseEnd":1346.2000002861023,"responseStart":1322.5,"secureConnectionStart":813.1000003814697},{"duration":535.2999997138977,"initiatorType":"script","name":"https://jira.mariadb.org/s/d41d8cd98f00b204e9800998ecf8427e-CDN/lu2cib/820016/12ta74/1.0/_/download/batch/jira.webresources:calendar-localisation-moment/jira.webresources:calendar-localisation-moment.js","startTime":813.2000002861023,"connectEnd":813.2000002861023,"connectStart":813.2000002861023,"domainLookupEnd":813.2000002861023,"domainLookupStart":813.2000002861023,"fetchStart":813.2000002861023,"redirectEnd":0,"redirectStart":0,"requestStart":1224.3000001907349,"responseEnd":1348.5,"responseStart":1346.7000002861023,"secureConnectionStart":813.2000002861023},{"duration":397.40000009536743,"initiatorType":"link","name":"https://jira.mariadb.org/s/b04b06a02d1959df322d9cded3aeecc1-CDN/lu2cib/820016/12ta74/a2ff6aa845ffc9a1d22fe23d9ee791fc/_/download/contextbatch/css/jira.global.look-and-feel,-_super/batch.css","startTime":813.5,"connectEnd":0,"connectStart":0,"domainLookupEnd":0,"domainLookupStart":0,"fetchStart":813.5,"redirectEnd":0,"redirectStart":0,"requestStart":0,"responseEnd":1210.9000000953674,"responseStart":0,"secureConnectionStart":0},{"duration":536.7999997138977,"initiatorType":"script","name":"https://jira.mariadb.org/rest/api/1.0/shortcuts/820016/47140b6e0a9bc2e4913da06536125810/shortcuts.js?context=issuenavigation&context=issueaction","startTime":813.6000003814697,"connectEnd":813.6000003814697,"connectStart":813.6000003814697,"domainLookupEnd":813.6000003814697,"domainLookupStart":813.6000003814697,"fetchStart":813.6000003814697,"redirectEnd":0,"redirectStart":0,"requestStart":1224.4000000953674,"responseEnd":1350.4000000953674,"responseStart":1349.3000001907349,"secureConnectionStart":813.6000003814697},{"duration":398.7000002861023,"initiatorType":"link","name":"https://jira.mariadb.org/s/3ac36323ba5e4eb0af2aa7ac7211b4bb-CDN/lu2cib/820016/12ta74/d176f0986478cc64f24226b3d20c140d/_/download/contextbatch/css/com.atlassian.jira.projects.sidebar.init,-_super,-project.issue.navigator,-jira.view.issue/batch.css?jira.create.linked.issue=true","startTime":813.9000000953674,"connectEnd":0,"connectStart":0,"domainLookupEnd":0,"domainLookupStart":0,"fetchStart":813.9000000953674,"redirectEnd":0,"redirectStart":0,"requestStart":0,"responseEnd":1212.6000003814697,"responseStart":0,"secureConnectionStart":0},{"duration":572,"initiatorType":"script","name":"https://jira.mariadb.org/s/5d5e8fe91fbc506585e83ea3b62ccc4b-CDN/lu2cib/820016/12ta74/d176f0986478cc64f24226b3d20c140d/_/download/contextbatch/js/com.atlassian.jira.projects.sidebar.init,-_super,-project.issue.navigator,-jira.view.issue/batch.js?jira.create.linked.issue=true&locale=en","startTime":814,"connectEnd":814,"connectStart":814,"domainLookupEnd":814,"domainLookupStart":814,"fetchStart":814,"redirectEnd":0,"redirectStart":0,"requestStart":1224.5,"responseEnd":1386,"responseStart":1348.6000003814697,"secureConnectionStart":814},{"duration":1178,"initiatorType":"script","name":"https://jira.mariadb.org/s/d41d8cd98f00b204e9800998ecf8427e-CDN/lu2cib/820016/12ta74/1.0/_/download/batch/jira.webresources:bigpipe-js/jira.webresources:bigpipe-js.js","startTime":815,"connectEnd":815,"connectStart":815,"domainLookupEnd":815,"domainLookupStart":815,"fetchStart":815,"redirectEnd":0,"redirectStart":0,"requestStart":1794.5,"responseEnd":1993,"responseStart":1974.4000000953674,"secureConnectionStart":815},{"duration":1178.0999999046326,"initiatorType":"script","name":"https://jira.mariadb.org/s/d41d8cd98f00b204e9800998ecf8427e-CDN/lu2cib/820016/12ta74/1.0/_/download/batch/jira.webresources:bigpipe-init/jira.webresources:bigpipe-init.js","startTime":815.1000003814697,"connectEnd":815.1000003814697,"connectStart":815.1000003814697,"domainLookupEnd":815.1000003814697,"domainLookupStart":815.1000003814697,"fetchStart":815.1000003814697,"redirectEnd":0,"redirectStart":0,"requestStart":1798.7000002861023,"responseEnd":1993.2000002861023,"responseStart":1975.1000003814697,"secureConnectionStart":815.1000003814697},{"duration":296.09999990463257,"initiatorType":"xmlhttprequest","name":"https://jira.mariadb.org/rest/webResources/1.0/resources","startTime":1869.9000000953674,"connectEnd":1869.9000000953674,"connectStart":1869.9000000953674,"domainLookupEnd":1869.9000000953674,"domainLookupStart":1869.9000000953674,"fetchStart":1869.9000000953674,"redirectEnd":0,"redirectStart":0,"requestStart":1991.6000003814697,"responseEnd":2166,"responseStart":2114.6000003814697,"secureConnectionStart":1869.9000000953674},{"duration":387.40000009536743,"initiatorType":"xmlhttprequest","name":"https://jira.mariadb.org/rest/webResources/1.0/resources","startTime":2274.7000002861023,"connectEnd":2274.7000002861023,"connectStart":2274.7000002861023,"domainLookupEnd":2274.7000002861023,"domainLookupStart":2274.7000002861023,"fetchStart":2274.7000002861023,"redirectEnd":0,"redirectStart":0,"requestStart":2623.2000002861023,"responseEnd":2662.1000003814697,"responseStart":2661.1000003814697,"secureConnectionStart":2274.7000002861023}],"fetchStart":0,"domainLookupStart":0,"domainLookupEnd":0,"connectStart":0,"connectEnd":0,"requestStart":283,"responseStart":685,"responseEnd":708,"domLoading":714,"domInteractive":2582,"domContentLoadedEventStart":2582,"domContentLoadedEventEnd":2661,"domComplete":3537,"loadEventStart":3537,"loadEventEnd":3537,"userAgent":"Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; ClaudeBot/1.0; +claudebot@anthropic.com)","marks":[{"name":"bigPipe.sidebar-id.start","time":2528.9000000953674},{"name":"bigPipe.sidebar-id.end","time":2529.6000003814697},{"name":"bigPipe.activity-panel-pipe-id.start","time":2529.7000002861023},{"name":"bigPipe.activity-panel-pipe-id.end","time":2532.800000190735},{"name":"activityTabFullyLoaded","time":2684.300000190735}],"measures":[],"correlationId":"cb8b55a38d875f","effectiveType":"4g","downlink":9.4,"rtt":0,"serverDuration":135,"dbReadsTimeInMs":14,"dbConnsTimeInMs":24,"applicationHash":"9d11dbea5f4be3d4cc21f03a88dd11d8c8687422","experiments":[]}}
Critical MDEV-33438 mariadb-backup fails to preserve innodb_encrypt_tables=1
Based on this description, I would first guess that the encryption was not properly enabled when mariadb-backup was run. I believe that thanks to some format changes related to
MDEV-14425andMDEV-19534, mariadb-backup --backup should be able to succeed even when no encryption has been configured and the data and log files are encrypted. In theMDEV-14425ib_logfile0 format, page numbers or file names are never encrypted; only the log record payload is. In the innodb_checksum_algorithm=full_crc32 format, page checksums are calculated after encryption.When it comes to mariadb-backup --prepare, the log record payload as well as the contents of the pages would be interpreted as garbage if the encryption parameters are incorrect. Applying the log might appear to succeed, but I have some doubts. Especially the application of the
MDEV-21724INSERT operations includes rather extensive consistency checks, and therefore I would expect some errors to be reported.Could you please write a script that reproduces this problem and shows the exact steps that are needed for reproducing this? I checked our regression test mariabackup.incremental_encrypted, and it is invoking mariadb-backup in a similar way, with no additional parameters related to encryption. It is also using the file_key_management encryption plugin. What it is missing is an INSERT running concurrently with backup, and any use of ALTER TABLE…IMPORT TABLESPACE.