Details
-
Bug
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Fixed
-
10.1.8
-
None
-
CentOS7
-
10.1.9-1
Description
Hi,
In the CentOS7 package there is a /etc/my.cnf.d/encryption.preset file. This file contains configurations 'loose-innodb-encrypt-log' and 'loose-innodb-encrypt-tables'.
Why are these configurations prefixed with 'loose-'?
Also it contains aria-encrypt-tables, the server does not start with this. It requires an option, after changing this to =1 it no longer gives an error on this.
According to the documentation it should be innodb-encrypt-tables = FORCE and innodb-encrypt-log: https://mariadb.com/kb/en/mariadb/data-at-rest-encryption/#which-storage-engines-does-mariadb-encryption-support
Cheers,
Michael
Attachments
Issue Links
- duplicates
-
-
- Closed
-
- links to
Activity
| Field | Original Value | New Value |
|---|---|---|
| Fix Version/s | N/A [ 14700 ] | |
| Resolution | Duplicate [ 3 ] | |
| Status | Open [ 1 ] | Closed [ 6 ] |
The encryptions.preset file says it now, and in the future, guarantees that everything will be encrypted. I think it should be FORCE in this example.
| Resolution | Duplicate [ 3 ] | |
| Status | Closed [ 6 ] | Stalled [ 10000 ] |
If you mean the comment in the preset file, it now says, I'm quoting,
# !include this file into your my.cnf (or any of *.cnf files in /etc/my.cnf.d)
|
# and it will enable data at rest encryption. This is a simple way to
|
# ensure that everything that can be encrypted will be and your
|
# data will not leak unencrypted.
|
That's exactly what the value 'ON' does. The value 'FORCE' does not add anything to 'encrypting everything that can be encrypted', it only makes InnoDB produce errors when you are explicitly trying to create an unencrypted table. These tables are outside the scope of the comment because they cannot be encrypted anyway.
So, I consider ON to be a most reasonable value for preset.
However, I don't see it anyhow important to keep arguing. Assigning to serg to decide.
| Assignee | Sergei Golubchik [ serg ] |
| Priority | Major [ 3 ] | Minor [ 4 ] |
| Fix Version/s | 10.1 [ 16100 ] | |
| Fix Version/s | N/A [ 14700 ] |
My bad, you are right about that. I remembered it not setting encryption by default somehow, but it does. I remembered wrong.
| Remote Link | This issue links to "pull request (Web Link)" [ 25604 ] |
| Sprint | 10.1.9-1 [ 18 ] |
| Priority | Minor [ 4 ] | Major [ 3 ] |
- loose- makes the preset usable when InnoDB is not loaded. For example, when a user only wants to use Aria or, may be, she is going to install InnoDB plugin run-time.
- aria-encrypt-tables — fixed, thanks
- FORCE already answered apove.
| Status | Stalled [ 10000 ] | In Progress [ 3 ] |
| Fix Version/s | 10.1.9 [ 20301 ] | |
| Fix Version/s | 10.1 [ 16100 ] | |
| Resolution | Fixed [ 1 ] | |
| Status | In Progress [ 3 ] | Closed [ 6 ] |
| Workflow | MariaDB v3 [ 72263 ] | MariaDB v4 [ 149758 ] |
It has already been addressed in
MDEV-8990, except for this:Documentation does not say it should be FORCE. It can be ON (same as no argument). See config example on the same page.