[Maria-discuss] AWS Key management plugin key rotation in replication
Hello, I wanted to clarify - does the key rotation (with AWS KMS backend) work in replication scenario? As in do the slaves (somehow) get also notified and perform the re-encryption if the key is rotated (on master) in background or you have to use different key for each slave for rotation to work? In https://mariadb.com/kb/en/encryption-key-management/#key-rotation it wasn't mentioned. wbr rr
Hi, Reinis! Slaves use their own encryption, they can use completely different set of keys with different rotation period. They don't have to be synchronized with the master. On Aug 29, Reinis Rozitis wrote:
Hello, I wanted to clarify - does the key rotation (with AWS KMS backend) work in replication scenario? As in do the slaves (somehow) get also notified and perform the re-encryption if the key is rotated (on master) in background or you have to use different key for each slave for rotation to work?
In https://mariadb.com/kb/en/encryption-key-management/#key-rotation it wasn't mentioned.
Regards, Sergei VP of MariaDB Server Engineering and security@mariadb.org
Slaves use their own encryption, they can use completely different set of keys with different rotation period. They don't have to be synchronized with the master.
That is clear, but I wanted to know in case they use the same key does the KMS API / Plugin somehow pick up the rotation event and perform the re-encryption on all the replicas (I guess could try just to test it)? Using multiple keys (per replica) would complicate the setup (a bit). rr
Hi, Reinis! On Aug 30, Reinis Rozitis wrote:
Slaves use their own encryption, they can use completely different set of keys with different rotation period. They don't have to be synchronized with the master.
That is clear, but I wanted to know in case they use the same key does the KMS API / Plugin somehow pick up the rotation event and perform the re-encryption on all the replicas (I guess could try just to test it)?
the master does not specifically communicate key rotaton to slaves. the way key rotation works in AWS plugin - I don't think the KMS will communicate it either. but, as key rotation is triggered by an sql statement, you can try to replicate it somehow. e.g. instead of SET, you have a table "key_rotation" and you insert into it. And an AFTER INSERT trigger will do the SET. The insert can be replicated just fine, this way both a master and a slave can rotate at about the same time.
Using multiple keys (per replica) would complicate the setup (a bit).
sure. it's a possibility, not a requirement. Regards, Sergei VP of MariaDB Server Engineering and security@mariadb.org
participants (2)
-
Reinis Rozitis -
Sergei Golubchik