Hi, Reinis! On Aug 30, Reinis Rozitis wrote:
Slaves use their own encryption, they can use completely different set of keys with different rotation period. They don't have to be synchronized with the master.
That is clear, but I wanted to know in case they use the same key does the KMS API / Plugin somehow pick up the rotation event and perform the re-encryption on all the replicas (I guess could try just to test it)?
the master does not specifically communicate key rotaton to slaves. the way key rotation works in AWS plugin - I don't think the KMS will communicate it either. but, as key rotation is triggered by an sql statement, you can try to replicate it somehow. e.g. instead of SET, you have a table "key_rotation" and you insert into it. And an AFTER INSERT trigger will do the SET. The insert can be replicated just fine, this way both a master and a slave can rotate at about the same time.
Using multiple keys (per replica) would complicate the setup (a bit).
sure. it's a possibility, not a requirement. Regards, Sergei VP of MariaDB Server Engineering and security@mariadb.org