Details
-
Bug
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Fixed
-
10.1.4
-
None
-
10.1.9-3
Description
Note: I don't really know what is right and what is wrong here (see MDEV-8148 – request to document it). I am only trying to guess, and it seems I can never guess right
server started with --plugin-load-add=file_key_management.so --file_key_management_filename=/home/elenst/git/10.1/mysql-test/std_data/keys.txt
+------------------------------------------+---------+
|
| Variable_name | Value |
|
+------------------------------------------+---------+
|
| aria_encrypt_tables | OFF |
|
| encrypt_tmp_disk_tables | OFF |
|
| file_key_management_encryption_algorithm | aes_cbc |
|
| innodb_default_encryption_key_id | 1 |
|
| innodb_encrypt_log | OFF |
|
| innodb_encrypt_tables | OFF |
|
| innodb_encryption_rotate_key_age | 1 |
|
| innodb_encryption_rotation_iops | 100 |
|
| innodb_encryption_threads | 0 |
|
+------------------------------------------+---------+
|
|
DDL that will be executed |
drop database if exists db_encrypt; |
create database db_encrypt; |
use db_encrypt; |
create table t_encrypted_existing_key (i int) encrypted=yes encryption_key_id = 2; |
create table t_not_encrypted_existing_key (i int) encrypted=no encryption_key_id = 2; |
create table t_encrypted_non_existing_key (i int) encrypted=yes encryption_key_id = 9; |
create table t_not_encrypted_non_existing_key (i int) encrypted=no encryption_key_id = 9; |
create table t_default_encryption_existing_key (i int) encryption_key_id = 2; |
create table t_default_encryption_non_existing_key (i int) encryption_key_id = 9; |
create table t_encrypted_default_key (i int) encrypted=yes; |
create table t_not_encrypted_default_key (i int) encrypted=no; |
create table t_defaults (i int); |
Note: t_encrypted_non_existing_key will not be created
set global innodb_encrypt_tables = 0; |
 |
# (Re-)create all the tables as above |
MariaDB [db_encrypt]> select * from information_schema.innodb_tablespaces_encryption where name like 'db_encrypt%';
|
+-------+--------------------------------------------------+-------------------+--------------------+-----------------+---------------------+--------------------------+------------------------------+
|
| SPACE | NAME | ENCRYPTION_SCHEME | KEYSERVER_REQUESTS | MIN_KEY_VERSION | CURRENT_KEY_VERSION | KEY_ROTATION_PAGE_NUMBER | KEY_ROTATION_MAX_PAGE_NUMBER |
|
+-------+--------------------------------------------------+-------------------+--------------------+-----------------+---------------------+--------------------------+------------------------------+
|
| 10 | db_encrypt/t_encrypted_existing_key | 0 | 0 | 0 | 0 | NULL | NULL |
|
| 11 | db_encrypt/t_not_encrypted_existing_key | 0 | 0 | 0 | 0 | NULL | NULL |
|
| 12 | db_encrypt/t_not_encrypted_non_existing_key | 0 | 0 | 0 | 0 | NULL | NULL |
|
| 13 | db_encrypt/t_default_encryption_existing_key | 0 | 0 | 0 | 0 | NULL | NULL |
|
| 14 | db_encrypt/t_default_encryption_non_existing_key | 0 | 0 | 0 | 0 | NULL | NULL |
|
| 15 | db_encrypt/t_encrypted_default_key | 0 | 0 | 0 | 0 | NULL | NULL |
|
| 16 | db_encrypt/t_not_encrypted_default_key | 0 | 0 | 0 | 0 | NULL | NULL |
|
| 17 | db_encrypt/t_defaults | 0 | 0 | 0 | 0 | NULL | NULL |
|
+-------+--------------------------------------------------+-------------------+--------------------+-----------------+---------------------+--------------------------+------------------------------+
|
8 rows in set (0.00 sec)
|
It does not seem to change with time.
It is already weird: as I understand from the description, tables with ENCRYPTED=YES should be encrypted regardless of innodb_encrypt_tables.
However, this part might be a duplicate of MDEV-8138.
set global innodb_encrypt_tables = 1; |
# Wait a bit? |
MariaDB [db_encrypt]> select * from information_schema.innodb_tablespaces_encryption where name like 'db_encrypt%';
|
+-------+--------------------------------------------------+-------------------+--------------------+-----------------+---------------------+--------------------------+------------------------------+
|
| SPACE | NAME | ENCRYPTION_SCHEME | KEYSERVER_REQUESTS | MIN_KEY_VERSION | CURRENT_KEY_VERSION | KEY_ROTATION_PAGE_NUMBER | KEY_ROTATION_MAX_PAGE_NUMBER |
|
+-------+--------------------------------------------------+-------------------+--------------------+-----------------+---------------------+--------------------------+------------------------------+
|
| 10 | db_encrypt/t_encrypted_existing_key | 0 | 0 | 0 | 4294967295 | NULL | NULL |
|
| 11 | db_encrypt/t_not_encrypted_existing_key | 0 | 0 | 0 | 4294967295 | NULL | NULL |
|
| 12 | db_encrypt/t_not_encrypted_non_existing_key | 0 | 0 | 0 | 4294967295 | NULL | NULL |
|
| 13 | db_encrypt/t_default_encryption_existing_key | 0 | 0 | 0 | 4294967295 | NULL | NULL |
|
| 14 | db_encrypt/t_default_encryption_non_existing_key | 0 | 0 | 0 | 4294967295 | NULL | NULL |
|
| 15 | db_encrypt/t_encrypted_default_key | 0 | 0 | 0 | 4294967295 | NULL | NULL |
|
| 16 | db_encrypt/t_not_encrypted_default_key | 0 | 0 | 0 | 4294967295 | NULL | NULL |
|
| 17 | db_encrypt/t_defaults | 0 | 0 | 0 | 4294967295 | NULL | NULL |
|
+-------+--------------------------------------------------+-------------------+--------------------+-----------------+---------------------+--------------------------+------------------------------+
|
8 rows in set (0.00 sec)
|
I can't event start guessing why it is the way it is. It also does not change with time.
Now, with innodb_encrypt_tables=1 re-create the tables again.
This time t_encrypted_non_existing_key and t_default_encryption_non_existing_key are not created. I suppose that's okay.
MariaDB [db_encrypt]> select * from information_schema.innodb_tablespaces_encryption where name like 'db_encrypt%';
|
+-------+----------------------------------------------+-------------------+--------------------+-----------------+---------------------+--------------------------+------------------------------+
|
| SPACE | NAME | ENCRYPTION_SCHEME | KEYSERVER_REQUESTS | MIN_KEY_VERSION | CURRENT_KEY_VERSION | KEY_ROTATION_PAGE_NUMBER | KEY_ROTATION_MAX_PAGE_NUMBER |
|
+-------+----------------------------------------------+-------------------+--------------------+-----------------+---------------------+--------------------------+------------------------------+
|
| 18 | db_encrypt/t_encrypted_existing_key | 1 | 1 | 1 | 1 | NULL | NULL |
|
| 19 | db_encrypt/t_not_encrypted_existing_key | 1 | 0 | 1 | 1 | NULL | NULL |
|
| 20 | db_encrypt/t_not_encrypted_non_existing_key | 1 | 0 | 4294967295 | 4294967295 | NULL | NULL |
|
| 21 | db_encrypt/t_default_encryption_existing_key | 1 | 1 | 1 | 1 | NULL | NULL |
|
| 22 | db_encrypt/t_encrypted_default_key | 1 | 1 | 1 | 1 | NULL | NULL |
|
| 23 | db_encrypt/t_not_encrypted_default_key | 1 | 0 | 1 | 1 | NULL | NULL |
|
| 24 | db_encrypt/t_defaults | 1 | 1 | 1 | 1 | NULL | NULL |
|
+-------+----------------------------------------------+-------------------+--------------------+-----------------+---------------------+--------------------------+------------------------------+
|
7 rows in set (0.00 sec)
|
4294967295 for t_not_encrypted_non_existing_key looks ugly.
Non-zero values for not_encrypted tables are strange.
set global innodb_encrypt_tables = 0; |
# Wait a bit? |
MariaDB [db_encrypt]> select * from information_schema.innodb_tablespaces_encryption where name like 'db_encrypt%';
|
+-------+----------------------------------------------+-------------------+--------------------+-----------------+---------------------+--------------------------+------------------------------+
|
| SPACE | NAME | ENCRYPTION_SCHEME | KEYSERVER_REQUESTS | MIN_KEY_VERSION | CURRENT_KEY_VERSION | KEY_ROTATION_PAGE_NUMBER | KEY_ROTATION_MAX_PAGE_NUMBER |
|
+-------+----------------------------------------------+-------------------+--------------------+-----------------+---------------------+--------------------------+------------------------------+
|
| 18 | db_encrypt/t_encrypted_existing_key | 1 | 1 | 1 | 0 | NULL | NULL |
|
| 19 | db_encrypt/t_not_encrypted_existing_key | 1 | 0 | 1 | 0 | NULL | NULL |
|
| 20 | db_encrypt/t_not_encrypted_non_existing_key | 1 | 0 | 4294967295 | 0 | NULL | NULL |
|
| 21 | db_encrypt/t_default_encryption_existing_key | 1 | 1 | 1 | 0 | NULL | NULL |
|
| 22 | db_encrypt/t_encrypted_default_key | 1 | 1 | 1 | 0 | NULL | NULL |
|
| 23 | db_encrypt/t_not_encrypted_default_key | 1 | 0 | 1 | 0 | NULL | NULL |
|
| 24 | db_encrypt/t_defaults | 1 | 1 | 1 | 0 | NULL | NULL |
|
+-------+----------------------------------------------+-------------------+--------------------+-----------------+---------------------+--------------------------+------------------------------+
|
7 rows in set (0.00 sec)
|
Nothing else changes, even for tables with default encryption. I don't know if anything should.
Attachments
Issue Links
- relates to
-
MDEV-8148 Document INFORMATION_SCHEMA table(s) related to encryption
-
- Closed
-