[MDEV-9010] Encryption preset file contains different configuration preset then documentation Created: 2015-10-25  Updated: 2015-10-29  Resolved: 2015-10-29

Status: Closed
Project: MariaDB Server
Component/s: Documentation, Encryption
Affects Version/s: 10.1.8
Fix Version/s: 10.1.9

Type: Bug Priority: Major
Reporter: Michaël de groot Assignee: Sergei Golubchik
Resolution: Fixed Votes: 0
Labels: None
Environment:

CentOS7

Issue Links:
Duplicate
duplicates MDEV-8990 [PATCH] enable_encryption Preset is n... Closed
Sprint: 10.1.9-1

 Description   

Hi,

In the CentOS7 package there is a /etc/my.cnf.d/encryption.preset file. This file contains configurations 'loose-innodb-encrypt-log' and 'loose-innodb-encrypt-tables'.
Why are these configurations prefixed with 'loose-'?

Also it contains aria-encrypt-tables, the server does not start with this. It requires an option, after changing this to =1 it no longer gives an error on this.

According to the documentation it should be innodb-encrypt-tables = FORCE and innodb-encrypt-log: https://mariadb.com/kb/en/mariadb/data-at-rest-encryption/#which-storage-engines-does-mariadb-encryption-support

Cheers,
Michael

 Comments   
Comment by Elena Stepanova [ 2015-10-25 ]

It has already been addressed in MDEV-8990, except for this:

According to the documentation it should be innodb-encrypt-tables = FORCE

Documentation does not say it should be FORCE. It can be ON (same as no argument). See config example on the same page.

Comment by Michaël de groot [ 2015-10-26 ]

The encryptions.preset file says it now, and in the future, guarantees that everything will be encrypted. I think it should be FORCE in this example.

Comment by Elena Stepanova [ 2015-10-26 ]

If you mean the comment in the preset file, it now says, I'm quoting,

# !include this file into your my.cnf (or any of *.cnf files in /etc/my.cnf.d)
 
# and it will enable data at rest encryption. This is a simple way to
 
# ensure that everything that can be encrypted will be and your
 
# data will not leak unencrypted.

That's exactly what the value 'ON' does. The value 'FORCE' does not add anything to 'encrypting everything that can be encrypted', it only makes InnoDB produce errors when you are explicitly trying to create an unencrypted table. These tables are outside the scope of the comment because they cannot be encrypted anyway.
So, I consider ON to be a most reasonable value for preset.
However, I don't see it anyhow important to keep arguing. Assigning to serg to decide.

Comment by Michaël de groot [ 2015-10-26 ]

My bad, you are right about that. I remembered it not setting encryption by default somehow, but it does. I remembered wrong.

Comment by Sergei Golubchik [ 2015-10-29 ]
  • loose- makes the preset usable when InnoDB is not loaded. For example, when a user only wants to use Aria or, may be, she is going to install InnoDB plugin run-time.
  • aria-encrypt-tables — fixed, thanks
  • FORCE already answered apove.
Generated at Thu Feb 08 07:31:27 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.