[MDEV-31094] innodb_encryption_rotate_key_age behaviour is misleading Created: 2023-04-20  Updated: 2023-04-20

Status: Open
Project: MariaDB Server
Component/s: Encryption
Affects Version/s: 10.10.3
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Sebastian Assignee: Unassigned
Resolution: Unresolved Votes: 0
Labels: encryption, innodb
Environment:

Any


 Description   

The documentation states:

Re-encrypt in background any page having a key older than this number of key versions.

This would normally mean that reencryption would occur for any table for which

MIN_KEY_VERSION + innodb_encryption_rotate_key_age <= CURRENT_KEY_VERSION


Since innodb_encryption_rotate_key_age cannot be 0 when rotation is enabled, "<=" (less equal) is safe. Unfortunately, that's not how it works. The check in the code is using "<" (less):

if (key_version + rotate_key_age < latest_key_version) { return true; }

The outcome is that when

innodb_encryption_rotate_key_age = 1

, the tables won't be reencrypted when I update my encryption key once. I must update it twice, which introduces various difficulties to our external key rotation mechanism.

In the following scenario, It's not possible to have my tables encrypted with key version 2:

#config
 
innodb_encrypt_tables = ON
 
innodb_default_encryption_key_id = 1
 
innodb_encryption_rotate_key_age = 1
 
----
 
| NAME                       | ENCRYPTION_SCHEME | MIN_KEY_VERSION | CURRENT_KEY_VERSION |
 
+----------------------------+-------------------+-----------------+---------------------+
 
| my_db/my_tabl              |                 1 |               1 |                   1 |
 
 
 
# Update Key
 
 
 
| NAME                       | ENCRYPTION_SCHEME | MIN_KEY_VERSION | CURRENT_KEY_VERSION |
 
+----------------------------+-------------------+-----------------+---------------------+
 
| my_db/my_tabl              |                 1 |               1 |                   2 |
 
 
 
# Update Key
 
 
 
| NAME                       | ENCRYPTION_SCHEME | MIN_KEY_VERSION | CURRENT_KEY_VERSION |
 
+----------------------------+-------------------+-----------------+---------------------+
 
| my_db/my_tabl              |                 1 |               3 |                   3 |



 Comments   
Comment by Marko Mäkelä [ 2023-04-20 ]

If I remember correctly, the default encryption plugin file_key_management does not support key versions, which could be why this bug has not been noticed earlier. Can you contribute a fix? I think that it should target the 10.4 release.

Generated at Thu Feb 08 10:21:14 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.