Details
-
Type:
Bug
-
Status: Open
-
Priority:
Major
-
Resolution: Unresolved
-
Affects Version/s: 10.1.4
-
Fix Version/s: 10.1
-
Component/s: Encryption
-
Labels:None
Description
Note: I don't really know what is right and what is wrong here (see MDEV-8148 – request to document it). I am only trying to guess, and it seems I can never guess right
server started with --plugin-load-add=file_key_management.so --file_key_management_filename=/home/elenst/git/10.1/mysql-test/std_data/keys.txt
+------------------------------------------+---------+ | Variable_name | Value | +------------------------------------------+---------+ | aria_encrypt_tables | OFF | | encrypt_tmp_disk_tables | OFF | | file_key_management_encryption_algorithm | aes_cbc | | innodb_default_encryption_key_id | 1 | | innodb_encrypt_log | OFF | | innodb_encrypt_tables | OFF | | innodb_encryption_rotate_key_age | 1 | | innodb_encryption_rotation_iops | 100 | | innodb_encryption_threads | 0 | +------------------------------------------+---------+
DDL that will be executed
drop database if exists db_encrypt; create database db_encrypt; use db_encrypt; create table t_encrypted_existing_key (i int) encrypted=yes encryption_key_id = 2; create table t_not_encrypted_existing_key (i int) encrypted=no encryption_key_id = 2; create table t_encrypted_non_existing_key (i int) encrypted=yes encryption_key_id = 9; create table t_not_encrypted_non_existing_key (i int) encrypted=no encryption_key_id = 9; create table t_default_encryption_existing_key (i int) encryption_key_id = 2; create table t_default_encryption_non_existing_key (i int) encryption_key_id = 9; create table t_encrypted_default_key (i int) encrypted=yes; create table t_not_encrypted_default_key (i int) encrypted=no; create table t_defaults (i int);
Note: t_encrypted_non_existing_key will not be created
set global innodb_encrypt_tables = 0; # (Re-)create all the tables as above
MariaDB [db_encrypt]> select * from information_schema.innodb_tablespaces_encryption where name like 'db_encrypt%'; +-------+--------------------------------------------------+-------------------+--------------------+-----------------+---------------------+--------------------------+------------------------------+ | SPACE | NAME | ENCRYPTION_SCHEME | KEYSERVER_REQUESTS | MIN_KEY_VERSION | CURRENT_KEY_VERSION | KEY_ROTATION_PAGE_NUMBER | KEY_ROTATION_MAX_PAGE_NUMBER | +-------+--------------------------------------------------+-------------------+--------------------+-----------------+---------------------+--------------------------+------------------------------+ | 10 | db_encrypt/t_encrypted_existing_key | 0 | 0 | 0 | 0 | NULL | NULL | | 11 | db_encrypt/t_not_encrypted_existing_key | 0 | 0 | 0 | 0 | NULL | NULL | | 12 | db_encrypt/t_not_encrypted_non_existing_key | 0 | 0 | 0 | 0 | NULL | NULL | | 13 | db_encrypt/t_default_encryption_existing_key | 0 | 0 | 0 | 0 | NULL | NULL | | 14 | db_encrypt/t_default_encryption_non_existing_key | 0 | 0 | 0 | 0 | NULL | NULL | | 15 | db_encrypt/t_encrypted_default_key | 0 | 0 | 0 | 0 | NULL | NULL | | 16 | db_encrypt/t_not_encrypted_default_key | 0 | 0 | 0 | 0 | NULL | NULL | | 17 | db_encrypt/t_defaults | 0 | 0 | 0 | 0 | NULL | NULL | +-------+--------------------------------------------------+-------------------+--------------------+-----------------+---------------------+--------------------------+------------------------------+ 8 rows in set (0.00 sec)
It does not seem to change with time.
It is already weird: as I understand from the description, tables with ENCRYPTED=YES should be encrypted regardless of innodb_encrypt_tables.
However, this part might be a duplicate of MDEV-8138.
set global innodb_encrypt_tables = 1; # Wait a bit?
MariaDB [db_encrypt]> select * from information_schema.innodb_tablespaces_encryption where name like 'db_encrypt%'; +-------+--------------------------------------------------+-------------------+--------------------+-----------------+---------------------+--------------------------+------------------------------+ | SPACE | NAME | ENCRYPTION_SCHEME | KEYSERVER_REQUESTS | MIN_KEY_VERSION | CURRENT_KEY_VERSION | KEY_ROTATION_PAGE_NUMBER | KEY_ROTATION_MAX_PAGE_NUMBER | +-------+--------------------------------------------------+-------------------+--------------------+-----------------+---------------------+--------------------------+------------------------------+ | 10 | db_encrypt/t_encrypted_existing_key | 0 | 0 | 0 | 4294967295 | NULL | NULL | | 11 | db_encrypt/t_not_encrypted_existing_key | 0 | 0 | 0 | 4294967295 | NULL | NULL | | 12 | db_encrypt/t_not_encrypted_non_existing_key | 0 | 0 | 0 | 4294967295 | NULL | NULL | | 13 | db_encrypt/t_default_encryption_existing_key | 0 | 0 | 0 | 4294967295 | NULL | NULL | | 14 | db_encrypt/t_default_encryption_non_existing_key | 0 | 0 | 0 | 4294967295 | NULL | NULL | | 15 | db_encrypt/t_encrypted_default_key | 0 | 0 | 0 | 4294967295 | NULL | NULL | | 16 | db_encrypt/t_not_encrypted_default_key | 0 | 0 | 0 | 4294967295 | NULL | NULL | | 17 | db_encrypt/t_defaults | 0 | 0 | 0 | 4294967295 | NULL | NULL | +-------+--------------------------------------------------+-------------------+--------------------+-----------------+---------------------+--------------------------+------------------------------+ 8 rows in set (0.00 sec)
I can't event start guessing why it is the way it is. It also does not change with time.
Now, with innodb_encrypt_tables=1 re-create the tables again.
This time t_encrypted_non_existing_key and t_default_encryption_non_existing_key are not created. I suppose that's okay.
MariaDB [db_encrypt]> select * from information_schema.innodb_tablespaces_encryption where name like 'db_encrypt%'; +-------+----------------------------------------------+-------------------+--------------------+-----------------+---------------------+--------------------------+------------------------------+ | SPACE | NAME | ENCRYPTION_SCHEME | KEYSERVER_REQUESTS | MIN_KEY_VERSION | CURRENT_KEY_VERSION | KEY_ROTATION_PAGE_NUMBER | KEY_ROTATION_MAX_PAGE_NUMBER | +-------+----------------------------------------------+-------------------+--------------------+-----------------+---------------------+--------------------------+------------------------------+ | 18 | db_encrypt/t_encrypted_existing_key | 1 | 1 | 1 | 1 | NULL | NULL | | 19 | db_encrypt/t_not_encrypted_existing_key | 1 | 0 | 1 | 1 | NULL | NULL | | 20 | db_encrypt/t_not_encrypted_non_existing_key | 1 | 0 | 4294967295 | 4294967295 | NULL | NULL | | 21 | db_encrypt/t_default_encryption_existing_key | 1 | 1 | 1 | 1 | NULL | NULL | | 22 | db_encrypt/t_encrypted_default_key | 1 | 1 | 1 | 1 | NULL | NULL | | 23 | db_encrypt/t_not_encrypted_default_key | 1 | 0 | 1 | 1 | NULL | NULL | | 24 | db_encrypt/t_defaults | 1 | 1 | 1 | 1 | NULL | NULL | +-------+----------------------------------------------+-------------------+--------------------+-----------------+---------------------+--------------------------+------------------------------+ 7 rows in set (0.00 sec)
4294967295 for t_not_encrypted_non_existing_key looks ugly.
Non-zero values for not_encrypted tables are strange.
set global innodb_encrypt_tables = 0; # Wait a bit?
MariaDB [db_encrypt]> select * from information_schema.innodb_tablespaces_encryption where name like 'db_encrypt%'; +-------+----------------------------------------------+-------------------+--------------------+-----------------+---------------------+--------------------------+------------------------------+ | SPACE | NAME | ENCRYPTION_SCHEME | KEYSERVER_REQUESTS | MIN_KEY_VERSION | CURRENT_KEY_VERSION | KEY_ROTATION_PAGE_NUMBER | KEY_ROTATION_MAX_PAGE_NUMBER | +-------+----------------------------------------------+-------------------+--------------------+-----------------+---------------------+--------------------------+------------------------------+ | 18 | db_encrypt/t_encrypted_existing_key | 1 | 1 | 1 | 0 | NULL | NULL | | 19 | db_encrypt/t_not_encrypted_existing_key | 1 | 0 | 1 | 0 | NULL | NULL | | 20 | db_encrypt/t_not_encrypted_non_existing_key | 1 | 0 | 4294967295 | 0 | NULL | NULL | | 21 | db_encrypt/t_default_encryption_existing_key | 1 | 1 | 1 | 0 | NULL | NULL | | 22 | db_encrypt/t_encrypted_default_key | 1 | 1 | 1 | 0 | NULL | NULL | | 23 | db_encrypt/t_not_encrypted_default_key | 1 | 0 | 1 | 0 | NULL | NULL | | 24 | db_encrypt/t_defaults | 1 | 1 | 1 | 0 | NULL | NULL | +-------+----------------------------------------------+-------------------+--------------------+-----------------+---------------------+--------------------------+------------------------------+ 7 rows in set (0.00 sec)
Nothing else changes, even for tables with default encryption. I don't know if anything should.
Gliffy Diagrams
Attachments
Activity
- All
- Comments
- Work Log
- History
- Activity
- Transitions