Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-9659

Create encryption plugin that utilizes AWS Key Management Service

Details

    • 10.2.0-7, 10.2.0-8

    Description

      • Whenever a new key or a key version is required (e.g CREATE TABLE ... ENCRYPTED=YES), plugins issues GenerateDataKeyWithoutPlaintext AWS API call to generate a new datakey, and stores ciphered key it in a file in the data directory. The file name for a key-number $key and version $ver will be aws-kms-key.$key.$ver
      • Ciphered datakeys are decrypted(in memory) using Decrypt API call , and returned by get_key() encryption API calls.
      • The data is encrypted with plain key, using AES-128 or AES-256 , depending on plain key length.

      Attachments

        Activity

          Ascending order - Click to sort in descending order
          wlad Vladislav Vaintroub created issue -
          wlad Vladislav Vaintroub made changes -
          Field Original Value New Value
          Assignee Vladislav Vaintroub [ wlad ]
          wlad Vladislav Vaintroub made changes -
          Description h1. Mode of operation
          * Whenever a new key or a key version is required (e.g ```CREATE TABLE ... ENCRYPTED=YES```), plugins issues [GenerateDataKeyWithoutPlaintext AWS API call|http://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKeyWithoutPlaintext.html] to generate a new datakey, and story it in a file in the data directory. The file name for a key-number $key and version $ver will be aws-kms.$key.$ver
          * The key will be decrypted in memory using [Decrypt API call | http://docs.aws.amazon.com/kms/latest/APIReference/API_Decrypt.html]
          wlad Vladislav Vaintroub made changes -
          Description h1. Mode of operation
          * Whenever a new key or a key version is required (e.g ```CREATE TABLE ... ENCRYPTED=YES```), plugins issues [GenerateDataKeyWithoutPlaintext AWS API call|http://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKeyWithoutPlaintext.html] to generate a new datakey, and story it in a file in the data directory. The file name for a key-number $key and version $ver will be aws-kms.$key.$ver
          * The key will be decrypted in memory using [Decrypt API call | http://docs.aws.amazon.com/kms/latest/APIReference/API_Decrypt.html]           		h1. General mode of operation
          * Whenever a new key or a key version is required (e.g {{CREATE TABLE ... ENCRYPTED=YES}}), plugins issues [GenerateDataKeyWithoutPlaintext AWS API call|http://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKeyWithoutPlaintext.html] to generate a new datakey, and story it in a file in the data directory. The file name for a key-number $key and version $ver will be aws-kms.$key.$ver
          * The key will be decrypted in memory using [Decrypt API call | http://docs.aws.amazon.com/kms/latest/APIReference/API_Decrypt.html]
          * The data is encrypted using either AES-128 or AES-256 , depending on key length
          h1.
          wlad Vladislav Vaintroub made changes -
          Description h1. General mode of operation
          * Whenever a new key or a key version is required (e.g {{CREATE TABLE ... ENCRYPTED=YES}}), plugins issues [GenerateDataKeyWithoutPlaintext AWS API call|http://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKeyWithoutPlaintext.html] to generate a new datakey, and story it in a file in the data directory. The file name for a key-number $key and version $ver will be aws-kms.$key.$ver
          * The key will be decrypted in memory using [Decrypt API call | http://docs.aws.amazon.com/kms/latest/APIReference/API_Decrypt.html]
          * The data is encrypted using either AES-128 or AES-256 , depending on key length
          h1.
          		* Whenever a new key or a key version is required (e.g {{CREATE TABLE ... ENCRYPTED=YES}}), plugins issues [GenerateDataKeyWithoutPlaintext AWS API call|http://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKeyWithoutPlaintext.html] to generate a new datakey, and stores ciphered key it in a file in the data directory. The file name for a key-number $key and version $ver will be aws-kms-key.$key.$ver
          * Ciphered datakeys are decrypted(in memory) using [Decrypt API call | http://docs.aws.amazon.com/kms/latest/APIReference/API_Decrypt.html], and returned by {{get_key()}} encryption API calls.
          * The data is encrypted with plain key, using AES-128 or AES-256 , depending on plain key length.
          ratzpo Rasmus Johansson (Inactive) made changes -
          Sprint 10.2.0-7 [ 39 ]
          ratzpo Rasmus Johansson (Inactive) made changes -
          Rank Ranked higher
          wlad Vladislav Vaintroub made changes -
          Status Open [ 1 ] In Progress [ 3 ]
          wlad Vladislav Vaintroub made changes -
          Assignee Vladislav Vaintroub [ wlad ] Sergei Golubchik [ serg ]
          Status In Progress [ 3 ] In Review [ 10002 ]
          serg Sergei Golubchik made changes -
          Assignee Sergei Golubchik [ serg ] Vladislav Vaintroub [ wlad ]
          Status In Review [ 10002 ] Stalled [ 10000 ]
          wlad Vladislav Vaintroub made changes -
          Sprint 10.2.0-7 [ 39 ] 10.2.0-7, 10.2.0-8 [ 39, 41 ]
          wlad Vladislav Vaintroub made changes -
          Component/s Encryption [ 11200 ]
          Component/s Plugins [ 10118 ]
          Fix Version/s 10.1.13 [ 21803 ]
          Fix Version/s 10.1 [ 16100 ]
          Resolution Fixed [ 1 ]
          Status Stalled [ 10000 ] Closed [ 6 ]
          serg Sergei Golubchik made changes -
          Workflow MariaDB v3 [ 74410 ] MariaDB v4 [ 132802 ]

          People

            wlad Vladislav Vaintroub
            wlad Vladislav Vaintroub
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.