Hi, Honza! On Jul 19, Honza Horak wrote:
On 07/15/2016 11:31 AM, Sergei Golubchik wrote:
On Jul 14, Honza Horak wrote:
I've asked directly in the documentation page, but maybe someone will know answer here: https://mariadb.com/kb/en/mariadb/data-at-rest-encryption/#comment_2346
In that article it is said that 128, 192 or 256-bit keys are supported, but later AES_CTR and AES_CBC modes talk only about 128bit keys. What piece of information am I missing?
The article says "the plugin will use AES with the 128-bit keys in the CTR mode for encrypting tablespace pages".
Because tablespace pages are always encrypted with a 128-bit tablespace key. Which is different for every tablespace and it is generated from the user-specified key, which might be 128-, 192-, or 256-bit.
Temporary files and binary logs are encrypted directly with the user-specified key of a user-specified length.
Thanks for the answer, but one more question to make sure I understand it correctly -- in case of choosing CBC mode, 128 keys are used only for tablespace pages or also for temporary files and binary logs?
Depends on your keys that you've specified in a file. Say, if you've put 192-bit keys there, then 192-bit keys will be used to encrypt temporary files and binary logs. And 192-bit key will be used to generate a 128-bit tablespace key, which in turn will used to encrypt a tablespace. It does not depend on the mode, CBC or CTR. Regards, Sergei