Details
-
Type:
Bug
-
Status: Closed
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: 10.1.4
-
Fix Version/s: 10.1.5
-
Component/s: Encryption
-
Labels:None
-
Environment:CentOS 7 64 Bit
Description
The file_key_management_filekey variable doesn't seem to be parsed correctly when used with the FILE: option. The log file responds with the following message...
[ERROR] mysqld: Cannot decrypt /var/lib/mysql/key.enc. Wrong key?
I've checked my key.enc file decrypts successfully with the following command...
openssl aes-256-cbc -d -md sha1 -k secret -in key.enc
and when I set...
file_key_management_filekey=secret
and restart mariadb there are no complaints in the error log. Running SHOW VARIABLES LIKE 'file%';
Show the file_key_management_% variables have been set by the server.
I've checked my pwd file a number of times, tried it with a newline after the password, all with the same result.
Cheers,
Rhys
Gliffy Diagrams
Attachments
Activity
- All
- Comments
- Work Log
- History
- Activity
- Transitions
OK, that was it. I wasn't aware of the difference of...
linux> echo secret > 1.txt
linux> echo -n secret > 2.txt
linux> cat 1.txt | wc -c && cat 2.txt | wc -c
7
6
I +1 for a chomp to be done on the password in the file.
Thanks.
Hi,
Sorry I don't quite understand the description. Could you please provide the exact combination of file_key_management* variables which does not work, and explain whether you set them at runtime, or add them to the cnf file, or put them on the command line; and the combination of the variables which works.
Thanks.
It's resolved. See above comments.
Cheers,
R
I still think this needs a chomp performed on the password obtained from the file.
Re-opening for the chomp consideration.
Yes, I agree that the current behavior is sometimes unexpected.
On the other hand, one may want to include a newline character in the key. I see these options:
- always remove all newline characters (one won't be able to use a key that ends with a new line, but who cares?)
- don't remove newline character, but print a warning that a key includes a newline character at the end (doesn't solve the problem, but at least makes the user aware of it)
- only remove one last newline, one will be able to use a key with newline at the end by putting two newlines in the file (a bit difficult to document, don't look natural)
- something else?
I would just chomp it. I think that's the expected behaviour for almost everybody. I've never come across anyone using, or advocating using, a newline in a password/passphrase. As a general rule I think we expect passwords to not have any leading or trailing whitespace characters.
Did you try the password file without a newline? Because the plugin uses the whole file content as a password, including the last newline character. Try