Manually rotation of the innodb system table encryption key on MariaDB 10.5
Hello everyone,
I implemented data in rest encryption on MariaDB 10.5 (linux running on Ubuntu 18.04) using the plugin file_key_management.so. Here is my current configuration:
plugin_dir=/usr/lib/mysql/plugin plugin_load_add = file_key_management.so loose_file_key_management_filename = /etc/mysql/keyfile.enc loose_file_key_management_filekey = FILE:/etc/mysql/keyfile.key loose_file_key_management_encryption_algorithm = AES_CTR encrypt_binlog = ON encrypt_tmp_disk_tables = ON encrypt_tmp_files = ON
innodb_encrypt_tables = FORCE innodb_encrypt_log = ON innodb_encryption_threads = 4 innodb_encrypt_temporary_tables = ON innodb_encryption_rotate_key_age = 1 innodb_encryption_rotation_iops = 3000
I was able to rotate manually the encryption key for all tables except for innodb_system
MariaDB [(none)]> SELECT NAME,CURRENT_KEY_ID FROM information_schema.INNODB_TABLESPACES_ENCRYPTION where ENCRYPTION_SCHEME='1' and NAME like "%innodb%" \G ***** 1. row ***** NAME: innodb_system CURRENT_KEY_ID: 1 ***** 2. row ***** NAME: mysql/innodb_table_stats CURRENT_KEY_ID: 3 ***** 3. row ***** NAME: mysql/innodb_index_stats CURRENT_KEY_ID: 3
Using the same query I was not able to rotate the key (Other entrances in the information_schema.INNODB_TABLESPACES_ENCRYPTION table comes along with the database Eg: mysql/innodb_table_stats but not the innodb_system)
MariaDB [(none)]> alter table innodb_system encryption_key_id=3; ERROR 1046 (3D000): No database selected
I found some documentation on how to rotate on Mysql and if I understood correctly this is like a master key for innodb system tables.
mysql> ALTER INSTANCE ROTATE INNODB MASTER KEY;
Which it does not work.
Can anyone please show me how can I manually rotate the innodb_system encryption key?
Thank you in advance.
Answer Answered by Vladislav Vaintroub in this comment.
That does not work, and MySQL's encryption implementation, which came years after MariaDB has nothing in common with MariaDB.
This file_key_management does not support key versions and thus no rotations. ALTER TABLE is for user tables, but for system tables it does not.
So the answer is , you can't rotate encryption key with a plugin that does not support rotations.