START_ENCRYPTION_EVENT

Since MariaDB 10.1.7, the START_ENCRYPTION event is written to every binary log file if encrypt_binlog is set to ON.

This event is written just once, after the Format Description event (which is the first event of a binlog file at pos 4).

The event has the 19 bytes event header with EventType set to value 164 (0xa4) + 17 bytes data.

Header

• Event type is 164 (0xa4)

Fields

Decryption of following events

All data of following events in the binlog file are encrypted, except for the event_length field

The 16 byte encryption IV is generated from the 12 byte nonce (uint<12>) in the binlog plus the current position of the event being encrypted (uint<4>). This means the last four bytes of the IV change for every event and the first 12 bytes change for every binlog file.

Since the event_length is always unencrypted, the encrypted data block has to be modified before it can be decrypted:

• store event_length
• copy the first four bytes (encrypted timestamp) to event_length position (offset=9)
• decrypt starting from offset 4 and store result at offset 4 of decrypted buffer

The unencrypted block now also needs to be modified

• move unencrypted timestamp value from offset 9 to the beginning (offset=0)
• store event_length at position 9

Complete example with CRC32 from a binary log.

b8 5f 5a 59 a4 5d 00 00  00 28 00 00 00 21 01 00 ._ZY.]...(...!..
00 00 00 01 01 00 00 00  65 57 50 26 63 59 37 46 ........eWP&cY7F
2f 3b 33 23 06 bb da 62                          /;3#...b

header, 19 bytes:

content,17 bytes

crc32, 4 bytes, of the whole event (header[19] + content[17])

• 06 bb da 62 => 62 da bb 06 => 1658501894