Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-7993

file_key_management_filekey doesn't work as expected with FILE:

Details

    • Bug
    • Status: Closed (View Workflow)
    • Major
    • Resolution: Fixed
    • 10.1.4
    • 10.1.5
    • Encryption
    • None
    • CentOS 7 64 Bit

    Description

      The file_key_management_filekey variable doesn't seem to be parsed correctly when used with the FILE: option. The log file responds with the following message...

      [ERROR] mysqld: Cannot decrypt /var/lib/mysql/key.enc. Wrong key?

      I've checked my key.enc file decrypts successfully with the following command...

      openssl aes-256-cbc -d -md sha1 -k secret -in key.enc

      and when I set...

      file_key_management_filekey=secret

      and restart mariadb there are no complaints in the error log. Running SHOW VARIABLES LIKE 'file%';

      Show the file_key_management_% variables have been set by the server.

      I've checked my pwd file a number of times, tried it with a newline after the password, all with the same result.

      Cheers,

      Rhys

      Attachments

        Activity

          serg Sergei Golubchik added a comment - - edited

          Did you try the password file without a newline? Because the plugin uses the whole file content as a password, including the last newline character. Try

          echo -n secret > pwdfile

          serg Sergei Golubchik added a comment - - edited Did you try the password file without a newline? Because the plugin uses the whole file content as a password, including the last newline character. Try echo -n secret > pwdfile
          rhyscampbell Rhys Campbell added a comment - - edited

          OK, that was it. I wasn't aware of the difference of...

          linux> echo secret > 1.txt
          linux> echo -n secret > 2.txt
          linux> cat 1.txt | wc -c && cat 2.txt | wc -c
          7
          6

          I +1 for a chomp to be done on the password in the file.

          Thanks.

          rhyscampbell Rhys Campbell added a comment - - edited OK, that was it. I wasn't aware of the difference of... linux> echo secret > 1.txt linux> echo -n secret > 2.txt linux> cat 1.txt | wc -c && cat 2.txt | wc -c 7 6 I +1 for a chomp to be done on the password in the file. Thanks.

          Hi,

          Sorry I don't quite understand the description. Could you please provide the exact combination of file_key_management* variables which does not work, and explain whether you set them at runtime, or add them to the cnf file, or put them on the command line; and the combination of the variables which works.

          Thanks.

          elenst Elena Stepanova added a comment - Hi, Sorry I don't quite understand the description. Could you please provide the exact combination of file_key_management* variables which does not work, and explain whether you set them at runtime, or add them to the cnf file, or put them on the command line; and the combination of the variables which works. Thanks.
          rhyscampbell Rhys Campbell added a comment -

          It's resolved. See above comments.

          Cheers,

          R

          rhyscampbell Rhys Campbell added a comment - It's resolved. See above comments. Cheers, R
          rhyscampbell Rhys Campbell added a comment -

          I still think this needs a chomp performed on the password obtained from the file.

          rhyscampbell Rhys Campbell added a comment - I still think this needs a chomp performed on the password obtained from the file.

          Re-opening for the chomp consideration.

          elenst Elena Stepanova added a comment - Re-opening for the chomp consideration.

          Yes, I agree that the current behavior is sometimes unexpected.

          On the other hand, one may want to include a newline character in the key. I see these options:

          1. always remove all newline characters (one won't be able to use a key that ends with a new line, but who cares?)
          2. don't remove newline character, but print a warning that a key includes a newline character at the end (doesn't solve the problem, but at least makes the user aware of it)
          3. only remove one last newline, one will be able to use a key with newline at the end by putting two newlines in the file (a bit difficult to document, don't look natural)
          4. something else?
          serg Sergei Golubchik added a comment - Yes, I agree that the current behavior is sometimes unexpected. On the other hand, one may want to include a newline character in the key. I see these options: always remove all newline characters (one won't be able to use a key that ends with a new line, but who cares?) don't remove newline character, but print a warning that a key includes a newline character at the end (doesn't solve the problem, but at least makes the user aware of it) only remove one last newline , one will be able to use a key with newline at the end by putting two newlines in the file (a bit difficult to document, don't look natural) something else?
          rhyscampbell Rhys Campbell added a comment -

          I would just chomp it. I think that's the expected behaviour for almost everybody. I've never come across anyone using, or advocating using, a newline in a password/passphrase. As a general rule I think we expect passwords to not have any leading or trailing whitespace characters.

          rhyscampbell Rhys Campbell added a comment - I would just chomp it. I think that's the expected behaviour for almost everybody. I've never come across anyone using, or advocating using, a newline in a password/passphrase. As a general rule I think we expect passwords to not have any leading or trailing whitespace characters.

          People

            serg Sergei Golubchik
            rhyscampbell Rhys Campbell
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.