[#MDEV-20099] Implement key rotation for Aria

[MDEV-20099] Implement key rotation for Aria Created: 2019-07-19 Updated: 2023-08-01
Status:	Open
Project:	MariaDB Server
Component/s:	Encryption, Storage Engine - Aria
Fix Version/s:	None

Type:

Task

Priority:

Major

Reporter:

Geoff Montee (Inactive)

Assignee:

Unassigned

Resolution:

Unresolved

Votes:

Labels:

None

Issue Links:

Blocks
is blocked by	MDEV-18971	Add background encryption threads for...	Open
Relates
relates to	MDEV-20098	Implement key rotation for binary log...	Open
relates to	MDEV-8587	Aria log encryption	Open
relates to	MDEV-17324	Make information_schema table that sh...	Open
relates to	MDEV-18049	Support ENCRYPTED and ENCRYPTION_KEY_...	Open
relates to	MDEV-18971	Add background encryption threads for...	Open

Description

In version 3.2.1 of the PCI DSS, sections 3.6.4 and 3.6.5 say that applications must have procedures for changing or replacing encryption keys.

https://www.pcisecuritystandards.org/document_library?category=pcidss&document=pci_dss

For encryption of Aria tables, if an encryption key is rotated, then I believe that existing encrypted pages continue to use the old version of the encryption key. As far as I know, MariaDB does not have any mechanism to re-encrypt existing Aria pages with a new encryption key or a new version of an encryption key. In order to re-encrypt existing pages, I believe that the table would need to be rebuilt. e.g.:

ALTER TABLE tab ENGINE=Aria ROW_FORMAT=PAGE;

This limitation would make it a bit more difficult for our users to satisfy these requirements of the PCI DSS.

MDEV-18971 would probably need to be implemented before we can implement this.

Generated at Thu Feb 08 08:56:43 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.

[MDEV-20099] Implement key rotation for Aria Created: 2019-07-19 Updated: 2023-08-01