[#MDEV-20181] MDB docs advise (require?) use of deprecated openssl key derivation method

[MDEV-20181] MDB docs advise (require?) use of deprecated openssl key derivation method Created: 2019-07-25 Updated: 2022-05-30
Status:	Confirmed
Project:	MariaDB Server
Component/s:	Encryption, SSL
Affects Version/s:	10.4.6, 10.4
Fix Version/s:	10.4

Type:

Bug

Priority:

Minor

Reporter:

pgnd

Assignee:

Oleksandr Byelkin

Resolution:

Unresolved

Votes:

Labels:

None

Environment:

mysqld -V
mysqld Ver 10.4.7-MariaDB-log for Linux on x86_64 (Source distribution)
ldd `which mysqld` | grep ssl
libssl.so.1.1 => /usr/local/openssl11/lib64/libssl.so.1.1 (0x00007ffa67dd2000)
libcrypto.so.1.1 => /usr/local/openssl11/lib64/libcrypto.so.1.1 (0x00007ffa678c2000)
openssl version
OpenSSL 1.1.1c 28 May 2019

Description

running

	mysqld -V

		mysqld Ver 10.4.7-MariaDB-log for Linux on x86_64 (Source distribution)

	ldd `which mysqld` | grep ssl

		libssl.so.1.1 => /usr/local/openssl11/lib64/libssl.so.1.1 (0x00007ffa67dd2000)

		libcrypto.so.1.1 => /usr/local/openssl11/lib64/libcrypto.so.1.1 (0x00007ffa678c2000)

	openssl version

		OpenSSL 1.1.1c 28 May 2019

setting up at-rest encryption, encrypting the keyfile

https://mariadb.com/kb/en/library/file-key-management-encryption-plugin/#encrypting-the-key-fileexec

, as instructed,

	openssl -vvv enc -aes-256-cbc \

	 -pass pass:password \

	 -md sha1 \

	 -in  keys.txt \

	 -out keys.enc

warns

	*** WARNING : deprecated key derivation used.

	Using -iter or -pbkdf2 would be better.

Comments

Comment by Sergei Golubchik [ 2019-08-12 ]

This is the hard-coded behavior or file_key_management plugin. To use a different key derivation method, the plugin needs to be extended to understand it. And, most probably, to be able to read old encrypted files, it'll need to auto-detect used key derivation.

Comment by Samuel Jonatan Boczek [ 2022-05-30 ]

Sorry for digging up this old issue, but it has been bugging me lately.

Due to the nature of openssl I don't think it's possible to auto-detect used key derivation.
These would need to be implemented as ini configuration values, e.g.

file_key_management_filekey_pbkdf2 = true

I would also propose the ability to specify iterations on the password deriving the encryption key (openssl -iter argument)

file_key_management_filekey_iter = 10000

Generated at Thu Feb 08 08:57:27 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.

[MDEV-20181] MDB docs advise (require?) use of deprecated openssl key derivation method Created: 2019-07-25 Updated: 2022-05-30