hi sergei, On Thu, Feb 22, 2018, at 11:57 AM, Sergei Golubchik wrote:
Without key rotation, there's no automatic way, unfortunately.
:-/
A, perhaps, more convenient approach could be:
(1) add new key to the keys.txt - with a different ID. (2) restart the server (3) do ALTER TABLE...ENCRYPTION_KEY_ID=xxx for every encrypted table to switch it to the new key.
That 'conveinence' assumes that you've got single, or a very few, keys in play. For more/many keys, especially when you start getting per-table keys, it starts getting in-convenient fast. And more importantly, very end-user error-prone!
Another possibility would be to add key rotation support to the file_key_management plugin.
That'd be useful. Or a different plugin altogether. Depends on the answer to the question: Are there any non-commercial/FOSS, offline key-rotation capable key management plugins? I.e., specifically not AWS' ? In the same way that having encryption-ready mariadb-backup *from* MariaDB is really valuable, having a non-3rd-party encryption management solution is similarly valuable/important. Ideally, (easily) integrated with soft/inexpensive HSM. Eventually.
It is easier than it sounds - this plugin is quite simple.
famous last words ;-)