This is a read-only copy of the MariaDB Knowledgebase generated on 2025-05-01. For the latest, interactive version please visit https://mariadb.com/kb/.

Enterprise ColumnStore Credentials Management

Overview

Starting with MariaDB Enterprise ColumnStore 6.2.3, ColumnStore supports encryption for user passwords stored in Columnstore.xml:

  • Encryption keys are created with the cskeys utility
  • Passwords are encrypted using the cspasswd utility

Compatibility

  • MariaDB Enterprise ColumnStore 6
  • MariaDB Enterprise ColumnStore 22.08
  • MariaDB Enterprise ColumnStore 23.02

Encryption Keys

MariaDB Enterprise ColumnStore stores its password encryption keys in the plain-text file /var/lib/columnstore/.secrets.

The encryption keys are not created by default, but can be generated by executing the cskeys utility:

$ cskeys

In a multi-node Enterprise ColumnStore cluster, every ColumnStore node should have the same encryption keys. Therefore, it is recommended to execute cskeys on the primary server, and then copy /var/lib/columnstore/.secrets to every other ColumnStore node and fix the file's permissions:

$ scp 192.0.2.1:/var/lib/columnstore/.secrets /var/lib/columnstore/.secrets
$ sudo chown mysql:mysql /var/lib/columnstore/.secrets
$ sudo chmod 0400 /var/lib/columnstore/.secrets

Encrypt a Password

To encrypt a password:

Generate an encrypted password using the cspasswd utility:

$ cspasswd util_user_passwd
  • If the --interactive command-line option is specified, cspasswd prompts for the password.

Set the encrypted password in Columnstore.xml using the mcsSetConfig utility:

$ sudo mcsSetConfig CrossEngineSupport Password util_user_encrypted_passwd

Decrypt a Password

To decrypt a password, execute the cspasswd utility and specify the --decrypt command-line option:

$ cspasswd --decrypt util_user_encrypted_passwd
Content reproduced on this site is the property of its respective owners, and this content is not reviewed in advance by MariaDB. The views, information and opinions expressed by this content do not necessarily represent those of MariaDB or any other party.