[MDEV-9011] Redo log encryption does not work Created: 2015-10-25  Updated: 2017-01-12  Resolved: 2015-10-30

Status: Closed
Project: MariaDB Server
Component/s: Encryption, Storage Engine - InnoDB, Storage Engine - XtraDB
Affects Version/s: 10.1.8
Fix Version/s: 10.1.9

Type: Bug Priority: Major
Reporter: Michaël de groot Assignee: Jan Lindström (Inactive)
Resolution: Fixed Votes: 0
Labels: None

Issue Links:
Relates
relates to MDEV-11782 Redefine the innodb_encrypt_log format Closed

 Description   

Hi,

After setting up encryption I get this error in the log:
2015-10-25 16:15:57 140276342356096 [ERROR] InnoDB: Redo log crypto: getting mysqld crypto key from key version failed. Reason could be that requested key_version 1 is not found or required encryption key management is not found.

Tablespace encryption works:
insert into test values('hello3');
[root@DEV-SQLTEST2 mysql]# strings encrypted/test.ibd |grep hello3
[root@DEV-SQLTEST2 mysql]# strings ib_logfile0 |grep hello3
hello3
ALTER TABLE test encrypted=NO;
[root@DEV-SQLTEST2 mysql]# strings encrypted/test.ibd |grep hello3
hello3

Configuration about encryption:

[mysqld]
 
plugin-load-add = file_key_management.so
 
file_key_management_filename = /etc/my.cnf.d/encryption
 
file-key-management-encryption-algorithm=aes_ctr
 
 
 
innodb-encrypt-tables = FORCE
 
innodb-encrypt-log = ON
 
 
 
aria-encrypt-tables = 1
 
encrypt-binlog
 
encrypt-tmp-disk-tables
 
encrypt-tmp-files
 
loose-innodb-encrypt-log
 
loose-innodb-encrypt-tables

Other server config:

[mysqld]
 
datadir = /var/lib/mysql
 
 
 
innodb_buffer_pool_size = 1000M
 
 
 
innodb_log_file_size = 128M
 
 
 
default_storage_engine = InnoDB
 
 
 
max_connect_errors = 999999
 
 
 
max_connections = 100
 
 
 
wait_timeout = 120
 
 
 
interactive_timeout = 300
 
 
 
 
 
performance_schema = ON
 
 
 
long_query_time = 0.1
 
slow_query_log = ON
 
log_error = /var/log/mysql/mysql.err
 
slow_query_log_file = /var/log/mysql/slow_query.log
 
sql_error_log_filename = /var/log/mysql/sql_error.log
 
plugin-load-add = sql_errlog.so
 
 
 
log_bin
 
 
 
innodb_read_io_threads = 4
 
innodb_write_io_threads = 4
 
 
 
innodb_buffer_pool_instances = 1
 
 
 
innodb_io_capacity = 2000
 
 
 
 
 
innodb_flush_method = O_DIRECT
 
 
 
query_cache_type = OFF
 
query_cache_size = 0

Command to generate key:
openssl enc -aes-256-ctr -k testEncryption -P -md sha1

Keys file /etc/my.cnf.d/encryption:

#test
 
1;36D6CB74CA7D4586CCC7261E174079CC5639E5F681D500ADFA887C165AD49301

Let me know if you need any more info.

Cheers,
Michael

 Comments   
Comment by Elena Stepanova [ 2015-10-26 ]

Thanks for the report.
Apparently, redo log can only deal with 128-bit keys. I could not find anything in documentation to justify it.

Comment by Jan Lindström (Inactive) [ 2015-10-30 ]

There should not be any restriction not to use 256-bit keys, what version of openSSL or similar you have ?

Comment by Elena Stepanova [ 2015-10-30 ]

I have 

ii  openssl                               1.0.1e-2+deb7u16                         amd64        Secure Socket Layer (SSL) binary and related cryptographic tools

Please note that the same 256-bit keys work just fine for table encryption, only redo log encryption fails.

Comment by Jan Lindström (Inactive) [ 2015-10-30 ]

Thanks, bug found (and fix).

Comment by Jan Lindström (Inactive) [ 2015-10-30 ]

commit 81d35841bd05085d61f3562201b802ca53802941
Author: Jan Lindström <jan.lindstrom@mariadb.com>
Date: Fri Oct 30 13:12:30 2015 +0200

MDEV-9011: Redo log encryption does not work

Redo log encryption used too short buffer when getting
encryption keys.

Generated at Thu Feb 08 07:31:28 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.