Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-7993

file_key_management_filekey doesn't work as expected with FILE:

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 10.1.4
    • Fix Version/s: 10.1.5
    • Component/s: Encryption
    • Labels:
      None
    • Environment:
      CentOS 7 64 Bit

      Description

      The file_key_management_filekey variable doesn't seem to be parsed correctly when used with the FILE: option. The log file responds with the following message...

      [ERROR] mysqld: Cannot decrypt /var/lib/mysql/key.enc. Wrong key?
      

      I've checked my key.enc file decrypts successfully with the following command...

      openssl aes-256-cbc -d -md sha1 -k secret -in key.enc
      

      and when I set...

      file_key_management_filekey=secret
      

      and restart mariadb there are no complaints in the error log. Running SHOW VARIABLES LIKE 'file%';

      Show the file_key_management_% variables have been set by the server.

      I've checked my pwd file a number of times, tried it with a newline after the password, all with the same result.

      Cheers,

      Rhys

        Gliffy Diagrams

          Attachments

            Activity

            Hide
            serg Sergei Golubchik added a comment - - edited

            Did you try the password file without a newline? Because the plugin uses the whole file content as a password, including the last newline character. Try

            echo -n secret > pwdfile
            
            Show
            serg Sergei Golubchik added a comment - - edited Did you try the password file without a newline? Because the plugin uses the whole file content as a password, including the last newline character. Try echo -n secret > pwdfile
            Hide
            rhyscampbell Rhys Campbell added a comment - - edited

            OK, that was it. I wasn't aware of the difference of...

            linux> echo secret > 1.txt
            linux> echo -n secret > 2.txt
            linux> cat 1.txt | wc -c && cat 2.txt | wc -c
            7
            6

            I +1 for a chomp to be done on the password in the file.

            Thanks.

            Show
            rhyscampbell Rhys Campbell added a comment - - edited OK, that was it. I wasn't aware of the difference of... linux> echo secret > 1.txt linux> echo -n secret > 2.txt linux> cat 1.txt | wc -c && cat 2.txt | wc -c 7 6 I +1 for a chomp to be done on the password in the file. Thanks.
            Hide
            elenst Elena Stepanova added a comment -

            Hi,

            Sorry I don't quite understand the description. Could you please provide the exact combination of file_key_management* variables which does not work, and explain whether you set them at runtime, or add them to the cnf file, or put them on the command line; and the combination of the variables which works.

            Thanks.

            Show
            elenst Elena Stepanova added a comment - Hi, Sorry I don't quite understand the description. Could you please provide the exact combination of file_key_management* variables which does not work, and explain whether you set them at runtime, or add them to the cnf file, or put them on the command line; and the combination of the variables which works. Thanks.
            Hide
            rhyscampbell Rhys Campbell added a comment -

            It's resolved. See above comments.

            Cheers,

            R

            Show
            rhyscampbell Rhys Campbell added a comment - It's resolved. See above comments. Cheers, R
            Hide
            rhyscampbell Rhys Campbell added a comment -

            I still think this needs a chomp performed on the password obtained from the file.

            Show
            rhyscampbell Rhys Campbell added a comment - I still think this needs a chomp performed on the password obtained from the file.
            Hide
            elenst Elena Stepanova added a comment -

            Re-opening for the chomp consideration.

            Show
            elenst Elena Stepanova added a comment - Re-opening for the chomp consideration.
            Hide
            serg Sergei Golubchik added a comment -

            Yes, I agree that the current behavior is sometimes unexpected.

            On the other hand, one may want to include a newline character in the key. I see these options:

            1. always remove all newline characters (one won't be able to use a key that ends with a new line, but who cares?)
            2. don't remove newline character, but print a warning that a key includes a newline character at the end (doesn't solve the problem, but at least makes the user aware of it)
            3. only remove one last newline, one will be able to use a key with newline at the end by putting two newlines in the file (a bit difficult to document, don't look natural)
            4. something else?
            Show
            serg Sergei Golubchik added a comment - Yes, I agree that the current behavior is sometimes unexpected. On the other hand, one may want to include a newline character in the key. I see these options: always remove all newline characters (one won't be able to use a key that ends with a new line, but who cares?) don't remove newline character, but print a warning that a key includes a newline character at the end (doesn't solve the problem, but at least makes the user aware of it) only remove one last newline , one will be able to use a key with newline at the end by putting two newlines in the file (a bit difficult to document, don't look natural) something else?
            Hide
            rhyscampbell Rhys Campbell added a comment -

            I would just chomp it. I think that's the expected behaviour for almost everybody. I've never come across anyone using, or advocating using, a newline in a password/passphrase. As a general rule I think we expect passwords to not have any leading or trailing whitespace characters.

            Show
            rhyscampbell Rhys Campbell added a comment - I would just chomp it. I think that's the expected behaviour for almost everybody. I've never come across anyone using, or advocating using, a newline in a password/passphrase. As a general rule I think we expect passwords to not have any leading or trailing whitespace characters.

              People

              • Assignee:
                serg Sergei Golubchik
                Reporter:
                rhyscampbell Rhys Campbell
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Due:
                  Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 30 minutes
                  30m