[MDEV-13386] Document how to create encryption keys for file_key_management plugin Created: 2017-07-26 Updated: 2017-07-28 Resolved: 2017-07-27 |
|
| Status: | Closed |
| Project: | MariaDB Server |
| Component/s: | Documentation, Storage Engine - InnoDB |
| Fix Version/s: | N/A |
| Type: | Task | Priority: | Major |
| Reporter: | Geoff Montee (Inactive) | Assignee: | Ian Gilfillan |
| Resolution: | Not a Bug | Votes: | 0 |
| Labels: | documentation, encryption, file_key_management, innodb | ||
| Description |
|
The documentation for the file_key_management plugin doesn't currently say how to generate encryption keys: https://mariadb.com/kb/en/mariadb/data-at-rest-encryption/#file_key_management-plugin The correct command appears to be shown here: https://mariadb.com/resources/blog/table-and-tablespace-encryption-mariadb-101 e.g.:
However, this more recent blog post from Pythian suggests a slightly different command:
https://www.pythian.com/blog/data-encryption-rest/ We should clarify if a specific command is correct. |
| Comments |
| Comment by Sergei Golubchik [ 2017-07-27 ] |
|
Both commands look identical. The only difference is that in the first case the key is specified on the command line, and in the second case openssl will prompt for it. But neither command is required, that's why the manual does not specify them. The manual says only
That is, any 128-, 192-, or 256-bit number is a valid key. You can use 00112233445566778899AABBCCDDEEFF or even 00000000000000000000000000000000. Or you can generate a random key with dd, /dev/random, and sha256. Or with openssl. Or with something else, it's up to you. |
| Comment by Geoff Montee (Inactive) [ 2017-07-27 ] |
|
Hi serg, That makes sense that the keys could be generated using different methods. In my opinion, the documentation should specify at least one method to generate keys that has sufficient randomness. The documentation currently has 0 methods listed. |
| Comment by Sergei Golubchik [ 2017-07-28 ] |
|
ok, added. |