[MDEV-20098] Implement key rotation for binary log and relay log Created: 2019-07-19 Updated: 2019-08-05 |
|
| Status: | Open |
| Project: | MariaDB Server |
| Component/s: | Encryption, Replication |
| Fix Version/s: | None |
| Type: | Task | Priority: | Major |
| Reporter: | Geoff Montee (Inactive) | Assignee: | Andrei Elkin |
| Resolution: | Unresolved | Votes: | 0 |
| Labels: | None | ||
| Issue Links: |
|
||||||||||||
| Description |
|
In version 3.2.1 of the PCI DSS, sections 3.6.4 and 3.6.5 say that applications must have procedures for changing or replacing encryption keys. https://www.pcisecuritystandards.org/document_library?category=pcidss&document=pci_dss For encryption of the binary log and the relay log, if an encryption key is rotated, then I believe that existing binary logs and relay logs continue to use the old version of the encryption key. As far as I know, MariaDB does not have any mechanism to re-encrypt binary logs and relay logs with a new encryption key or a new version of an encryption key. This limitation would make it a bit more difficult for our users to satisfy these requirements of the PCI DSS. |
| Comments |
| Comment by Sergei Golubchik [ 2019-08-05 ] |
|
the new binary log file will use a new key though. do you suggest a background thread to re-encrypt exising binlogs? |
| Comment by Geoff Montee (Inactive) [ 2019-08-05 ] |
|
Yeah, it sounds like a background thread that could re-encrypt existing binlogs would help our customers meet some of these security requirements. If the background threads could also decrypt existing binlogs when a user wants to disable encryption, then that would be another nice benefit. As far as I know, the only ways to currently decrypt binlogs are:
|