[MDEV-13387] Document correct format for encryption keys used by file_key_management plugin Created: 2017-07-26  Updated: 2017-07-28  Resolved: 2017-07-27

Status: Closed
Project: MariaDB Server
Component/s: Documentation, Storage Engine - InnoDB
Fix Version/s: N/A

Type: Task Priority: Major
Reporter: Geoff Montee (Inactive) Assignee: Ian Gilfillan
Resolution: Not a Bug Votes: 0
Labels: documentation, encryption, file_key_management, innodb


 Description   

The documentation currently says that the following format is used by file_key_management plugin:

The key file contains encryption keys identifiers (32-bit numbers) and hex-encoded encryption keys, separated by a semicolon. 128, 192 or 256-bit keys are supported. Comments start from the hash character. An example key file entry:
 
 
 
# this is a comment
 
1;770A8A65DA156D24EE2A093277530142
 
18;F5502320F8429037B8DAEF761B189D12F5502320F8429037B8DAEF761B189D12

https://mariadb.com/kb/en/mariadb/data-at-rest-encryption/#file_key_management_filename

However, this more recent blog post from Pythian says that the IV needs to be included, in addition to the key:

 
Sample output:
 
...
 
key=AD2F01FD1D496F6A054E3D19B79815D0F6DE82C49E105D63E1F467912E2F0B95
 
iv =C6A3F3625D420BD19AF04CEB9DA2D89B
 
Sample contents of keys.txt using that output:
 
1;C6A3F3625D420BD19AF04CEB9DA2D89B;AD2F01FD1D496F6A054E3D19B79815D0F6DE82C49E105D63E1F467912E2F0B95

https://www.pythian.com/blog/data-encryption-rest/

If the IV is required, then we should specify that.

 Comments   
Comment by Sergei Golubchik [ 2017-07-27 ]

Blog post is not more recent, it's from February 18, 2016 and it describes MariaDB 10.1.3. In 10.1.3 file_key_management plugin, indeed, was reading IV from the key file. That was changed in 10.1.4.

Comment by Geoff Montee (Inactive) [ 2017-07-27 ]

Hi serg,

The KB page says that it was written for 10.1.4, and the Pythian blog post says that it was tested with MariaDB 10.1.11. This made it seem like the Pythian blog post was more recent, which was confusing because that blog post showed that you need to put the IV in the key file.

I just tried using file_key_management plugin with MariaDB 10.1.11, and it worked without setting the IV, just as you said that it would. I was curious, so I tried also setting the IV, as detailed in the Pythian blog post. This seemed to work too. It was a bit surprising to me that both formats worked.

Does the IV have any effect in MariaDB 10.1.4 and later if its present, or is it completely ignored?

Comment by Sergei Golubchik [ 2017-07-28 ]

It is not ignored. file_key_management plugin reads the key number and a key separated by a semicolon. Everything after the key is ignored. When you put an "iv", it actually is interpreted as a key and what you think is a "key" is ignored. So it looks like it works, but if you remove "iv" from your key file, you won't be able to decrypt old data.

The manual is correct, it describes the file format that the plugin needs. If some blog post somewhere claims something else — it must be wrong, if it contradicts the manual.

Generated at Thu Feb 08 08:05:12 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.