Hi, obsa! On Feb 22, obsa@mm.st wrote:
Encryption key management
MariaDB encryption supports multiple encryption keys, they are identified by a key identifier — a 32-bit integer. To support automatic key rotation every key additionally might have different versions. XtraDB and InnoDB can automatically re-encrypt the data from an older to a newer version of the same key. But how different keys are stored and rotated depends on the key management solution that you choose.
but for this plugin
file_key_management This plugin does not support key rotation — all keys always have the version 1.
So I understand that I can't rotate the keys similar to what the AWS plugin provides.
But if I need to change the key at any time, either just its encrypted form &/or the 'master'
What's the procedure to re-key all the encrypted tables?
Do I need to (1) stop the server (2) manually decrypt each table with its old key (3) reencrypt each table with the new key (4) restart the server ?
Without key rotation, there's no automatic way, unfortunately. A, perhaps, more convenient approach could be: (1) add new key to the keys.txt - with a different ID. (2) restart the server (3) do ALTER TABLE...ENCRYPTION_KEY_ID=xxx for every encrypted table to switch it to the new key. Another possibility would be to add key rotation support to the file_key_management plugin. It is easier than it sounds - this plugin is quite simple. Regards, Sergei Chief Architect MariaDB and security@mariadb.org