[MDEV-25343] Error log message not helpful when encryption key is too long Created: 2021-04-06  Updated: 2022-10-21  Resolved: 2022-10-21

Status: Closed
Project: MariaDB Server
Component/s: Encryption
Affects Version/s: 10.2, 10.3, 10.4, 10.5
Fix Version/s: 10.3.37, 10.4.27, 10.5.18, 10.6.11, 10.7.7, 10.8.6, 10.9.4, 10.10.2, 10.11.1

Type: Bug Priority: Minor
Reporter: thenatsky Assignee: Daniel Black
Resolution: Fixed Votes: 0
Labels: beginner-friendly, configuration, encryption, errorlog

Attachments: PNG File screenshot-1.png    

 Description   

Relevant Configuration in mariadb.cnf:

[mysqld]
 
plugin_load_add = file_key_management
 
file_key_management_filename = /etc/mysql/keys/enc_key.enc
 
file_key_management_filekey = FILE:/etc/mysql/keys/enc_passwd.key
 
file_key_management_encryption_algorithm = AES_CBC


MariaDB [(none)]> show plugins soname 'file_key_management.so';
 
+---------------------+---------------+------------+------------------------+---------+
 
| Name                | Status        | Type       | Library                | License |
 
+---------------------+---------------+------------+------------------------+---------+
 
| file_key_management | NOT INSTALLED | ENCRYPTION | file_key_management.so | GPL     |
 
+---------------------+---------------+------------+------------------------+---------+

Error log:

Apr  6 03:29:43 localhost mariadbd[27605]: 2021-04-06  3:29:43 0 [ERROR] mariadbd: Cannot decrypt /etc/mysql/keys/enc_key.enc. Wrong key?
 
Apr  6 03:29:43 localhost mariadbd[27605]: 2021-04-06  3:29:43 0 [ERROR] Plugin 'file_key_management' init function returned error.
 
Apr  6 03:29:43 localhost mariadbd[27605]: 2021-04-06  3:29:43 0 [ERROR] Plugin 'file_key_management' registration as a ENCRYPTION failed.

After hours of trying different things, it turned out that the key was too long (I'd inadvertently used 512 characters). Recreated the file_key_management_filename and file_key_management_filekey using a 256 character key and it all worked fine.

I suggest checking the length (if not already happening) and then issuing a more helpful error like "Cannot decrypt <file_key_management_filename>. <file_key_management_filekey> has incorrect length"

This would have helped me realise where the error was (ie between chair and keyboard) and would have taken less than a minute to address.

 Comments   
Comment by kurt.ding [ 2022-09-16 ]

I add a note to notify user like the picture below . Is it ok?

Comment by kurt.ding [ 2022-09-16 ]

PR is https://github.com/MariaDB/server/pull/2269

Comment by Daniel Black [ 2022-10-19 ]

Sorry I needed to revert this.

The reasons are per https://github.com/MariaDB/server/pull/2291. The default file is 257 bytes. Can you use a slightly bigger buffer and do the error after the loop at https://github.com/MariaDB/server/pull/2269/files#diff-ce8ad7f3ded93731629fb46916155d0516b54be01df6f3398f0cc1fafb884b28R196 when len is reduced.

Comment by kurt.ding [ 2022-10-19 ]

I got your message , the reason is that 128 bit key but has 257 bytes.

Comment by Daniel Black [ 2022-10-21 ]

Thanks Kurt Ding for the rework to make these additional test cases.

Generated at Thu Feb 08 09:36:59 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.