Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-9010

Encryption preset file contains different configuration preset then documentation

Details

    • 10.1.9-1

    Description

      Hi,

      In the CentOS7 package there is a /etc/my.cnf.d/encryption.preset file. This file contains configurations 'loose-innodb-encrypt-log' and 'loose-innodb-encrypt-tables'.
      Why are these configurations prefixed with 'loose-'?

      Also it contains aria-encrypt-tables, the server does not start with this. It requires an option, after changing this to =1 it no longer gives an error on this.

      According to the documentation it should be innodb-encrypt-tables = FORCE and innodb-encrypt-log: https://mariadb.com/kb/en/mariadb/data-at-rest-encryption/#which-storage-engines-does-mariadb-encryption-support

      Cheers,
      Michael

      Attachments

        Issue Links

          duplicates

          Bug - A problem which impairs or prevents the functions of the product. MDEV-8990 [PATCH] enable_encryption Preset is not fully functional

          • Major - Major loss of function.
          • Closed
          links to

          Web Link pull request

          Activity

            Ascending order - Click to sort in descending order
            elenst Elena Stepanova added a comment -

            It has already been addressed in MDEV-8990, except for this:

            According to the documentation it should be innodb-encrypt-tables = FORCE

            Documentation does not say it should be FORCE. It can be ON (same as no argument). See config example on the same page.

            elenst Elena Stepanova added a comment - It has already been addressed in MDEV-8990 , except for this: According to the documentation it should be innodb-encrypt-tables = FORCE Documentation does not say it should be FORCE. It can be ON (same as no argument). See config example on the same page.
            michaeldg Michaël de groot added a comment -

            The encryptions.preset file says it now, and in the future, guarantees that everything will be encrypted. I think it should be FORCE in this example.

            michaeldg Michaël de groot added a comment - The encryptions.preset file says it now, and in the future, guarantees that everything will be encrypted. I think it should be FORCE in this example.
            elenst Elena Stepanova added a comment -

            If you mean the comment in the preset file, it now says, I'm quoting,

            # !include this file into your my.cnf (or any of *.cnf files in /etc/my.cnf.d)
            		 
            # and it will enable data at rest encryption. This is a simple way to
            		 
            # ensure that everything that can be encrypted will be and your
            		 
            # data will not leak unencrypted.

            That's exactly what the value 'ON' does. The value 'FORCE' does not add anything to 'encrypting everything that can be encrypted', it only makes InnoDB produce errors when you are explicitly trying to create an unencrypted table. These tables are outside the scope of the comment because they cannot be encrypted anyway.
            So, I consider ON to be a most reasonable value for preset.
            However, I don't see it anyhow important to keep arguing. Assigning to serg to decide.

            elenst Elena Stepanova added a comment - If you mean the comment in the preset file, it now says, I'm quoting, # !include this file into your my.cnf (or any of *.cnf files in /etc/my.cnf.d) # and it will enable data at rest encryption. This is a simple way to # ensure that everything that can be encrypted will be and your # data will not leak unencrypted. That's exactly what the value 'ON' does. The value 'FORCE' does not add anything to 'encrypting everything that can be encrypted', it only makes InnoDB produce errors when you are explicitly trying to create an unencrypted table. These tables are outside the scope of the comment because they cannot be encrypted anyway. So, I consider ON to be a most reasonable value for preset. However, I don't see it anyhow important to keep arguing. Assigning to serg to decide.
            michaeldg Michaël de groot added a comment -

            My bad, you are right about that. I remembered it not setting encryption by default somehow, but it does. I remembered wrong.

            michaeldg Michaël de groot added a comment - My bad, you are right about that. I remembered it not setting encryption by default somehow, but it does. I remembered wrong.
            serg Sergei Golubchik added a comment - - edited
            • loose- makes the preset usable when InnoDB is not loaded. For example, when a user only wants to use Aria or, may be, she is going to install InnoDB plugin run-time.
            • aria-encrypt-tables — fixed, thanks
            • FORCE already answered apove.
            serg Sergei Golubchik added a comment - - edited loose- makes the preset usable when InnoDB is not loaded. For example, when a user only wants to use Aria or, may be, she is going to install InnoDB plugin run-time. aria-encrypt-tables — fixed, thanks FORCE already answered apove.

            People

              serg Sergei Golubchik
              michaeldg Michaël de groot
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.