Hi Jan, 1) rotating encrypted => unencrypted is definitely supported, in my latest version the TODO is removed...(hope you have a recent enough version) 2) Thanks! for testcase, it did indeed reveal a bug with the "encrypted => unencrypted => encrypted" sequence attaching fix. Let me know it fixes your version of testcase (i've used a modified version since e.g we don't have per table settings...) /Jonas On Fri, May 15, 2015 at 1:23 PM, Jan Lindström <jan.lindstrom@mariadb.com> wrote:

Hi,

At fil0crypt.cc there is

fil_crypt_needs_rotation(uint key_version, const key_state_t *key_state) { // TODO(jonaso): Add support for rotating encrypted => unencrypted

if (key_version == 0 && key_state->key_version != 0) { /* this is rotation unencrypted => encrypted * ignore rotate_key_age */ return true; }

Thus to me it is not clear is the support for rotating encrypted => unencrypted really missing or not and furthermore, see attached test case for this,

encrypted + insert + grep : ok encrypted => unencrypted + grep: ok unencrypted => encrypted + grep: not ok

R: Jan