Hi Jan,

1) rotating encrypted => unencrypted is definitely supported,

in my latest version the TODO is removed...(hope you have a recent enough version)

2) Thanks! for testcase, it did indeed reveal a bug with the "encrypted => unencrypted => encrypted" sequence

attaching fix.

Let me know it fixes your version of testcase (i've used a modified version since e.g we don't have per table settings...)

/Jonas

On Fri, May 15, 2015 at 1:23 PM, Jan Lindström <jan.lindstrom@mariadb.com> wrote:

Hi,

At fil0crypt.cc there is

fil_crypt_needs_rotation(uint key_version, const key_state_t *key_state)
{
    // TODO(jonaso): Add support for rotating encrypted => unencrypted

    if (key_version == 0 && key_state->key_version != 0) {
        /* this is rotation unencrypted => encrypted
        * ignore rotate_key_age */
        return true;
    }

Thus to me it is not clear is the support for rotating encrypted => unencrypted really missing or not and furthermore, see attached test case for this,

encrypted + insert + grep : ok
encrypted => unencrypted + grep: ok
unencrypted => encrypted + grep: not ok

R: Jan