START_ENCRYPTION_EVENT
MariaDB starting with 10.1.7
The START_ENCRYPTION
event was introduced in MariaDB 10.1.7.
Since MariaDB 10.1.7, the START_ENCRYPTION
event is written to every binary log file if encrypt_binlog is set to ON.
This event is written just once, after the Format Description event (which is the first event of a binlog file at pos 4).
The event has the 19 bytes event header with EventType set to value 164 (0xa4) + 17 bytes data.
Header
- Event type is 164 (0xa4)
Fields
Decryption of following events
All data of following events in the binlog file are encrypted, except for the event_length field
The 16 byte encryption IV is generated from the 12 byte nonce (uint<12>) in the binlog plus the current position of the event being encrypted (uint<4>). This means the last four bytes of the IV change for every event and the first 12 bytes change for every binlog file.
Since the event_length is always unencrypted, the encrypted data block has to be modified before it can be decrypted:
- store event_length
- copy the first four bytes (encrypted timestamp) to event_length position (offset=9)
- decrypt starting from offset 4 and store result at offset 4 of decrypted buffer
The unencrypted block now also needs to be modified
- move unencrypted timestamp value from offset 9 to the beginning (offset=0)
- store event_length at position 9
Complete example with CRC32 from a binary log.
b8 5f 5a 59 a4 5d 00 00 00 28 00 00 00 21 01 00 ._ZY.]...(...!.. 00 00 00 01 01 00 00 00 65 57 50 26 63 59 37 46 ........eWP&cY7F 2f 3b 33 23 06 bb da 62 /;3#...b
header, 19 bytes:
- timestamp [4] = b8 5f 5a 59 => 59 5a 5f b8 => 1499094968 [2017-07-03 17:16:08]
- type [1} = a4 => 164
- server_id [4} = 5d 00 00 00 => 00 00 00 5d => 93
- event_size [4] = 28 00 00 00 => 00 00 00 28 => 40 [header + content + crc32(header + content)]
- next_pos [4] = 21 01 00 00 => 00 00 01 21 => 289
- flags [2] = 00 00 => 0
content,17 bytes
- Enc scheme [1] = 01 => 1
- Enc key ver [4] = 01 00 00 00 => 00 00 00 01 => 1
- Nonce [12] = eWP&cY7F/;3#
crc32, 4 bytes, of the whole event (header[19] + content[17])
- 06 bb da 62 => 62 da bb 06 => 1658501894