- Whenever a new key or a key version is required (e.g CREATE TABLE ... ENCRYPTED=YES), plugins issues GenerateDataKeyWithoutPlaintext AWS API call to generate a new datakey, and stores ciphered key it in a file in the data directory. The file name for a key-number $key and version $ver will be aws-kms-key.$key.$ver
- Ciphered datakeys are decrypted(in memory) using Decrypt API call , and returned by get_key() encryption API calls.
- The data is encrypted with plain key, using AES-128 or AES-256 , depending on plain key length.
|