0

I'm trying to enable File Key Management encryption in MariaDB 10.6.3 server (Rocky Linux). I'm generating key file using open ssl. I have followed this guide https://mariadb.com/resources/blog/mariadb-encryption-tde-using-mariadbs-file-key-management-encryption-plugin/

echo "1;"$(openssl rand -hex 32) > /etc/mysql/encryption/keyfile
openssl rand -hex 128 > /etc/mysql/encryption/keyfile.key

While generating encrypted file using

openssl enc -aes-256-cbc -md sha1 -pass file:/etc/mysql/encryption/keyfile.key -in /etc/mysql/encryption/keyfile -out /etc/mysql/encryption/keyfile.enc

I'm getting a warning

*** WARNING : deprecated key derivation used.
Using -iter or -pbkdf2 would be better.

Since the above code was generating a warning, I used

openssl enc -aes-256-cbc -md sha512 -pbkdf2 -iter 100000 
 -pass file:/etc/mysql/encryption/keyfile.key -in /etc/mysql/encryption/keyfile -out /etc/mysql/encryption/keyfile.enc

This is the configuration I have added in server.cnf

#File Key Management Plugin
plugin_load_add = file_key_management
file_key_management_filename = /etc/mysql/encryption/keyfile.enc
file_key_management_filekey = FILE:/etc/mysql/encryption/keyfile.key
file_key_management_encryption_algorithm = AES_CTR

# InnoDB Encryption Setup
innodb_encrypt_tables = ON
innodb_encrypt_log = ON
innodb_encrypt_temporary_tables = ON
innodb_encryption_threads = 4
innodb_encryption_rotation_iops = 2000

# Temp & Log Encryption
encrypt_tmp_disk_tables = ON
encrypt_tmp_files = ON
encrypt_binlog = ON
aria_encrypt_tables = ON

After saving the configuration, when I try to restart MariaDB it fails to start. MariaDB Status produces

[ERROR] mariadbd: Cannot decrypt /etc/mysql/encryption/keyfile.enc. Wrong key?
[ERROR] Plugin 'file_key_management' init function returned error.


[ERROR] Plugin 'file_key_management' registration as a ENCRYPTION failed.
[ERROR] InnoDB: cannot enable encryption, encryption plugin is not available
[ERROR] Plugin 'InnoDB' init function returned error.
[ERROR] Plugin 'InnoDB' registration as a STORAGE ENGINE failed.
[Note] Plugin 'FEEDBACK' is disabled.
[ERROR] Failed to enable encryption of temporary files
[ERROR] Aborting
systemd[1]: mariadb.service: Main process exited, code=exited, status=1/FAILURE
systemd[1]: mariadb.service: Failed with result 'exit-code'.
systemd[1]: Failed to start MariaDB 10.6.3 database server.

I have checked /var/lib/mysql/ and file_key_management.so file is available.

I'm sure that the addition of -pbkdf2 -iter 100000 is the problem.

Can anyone tell me where things are going wrong?

Sims Susee
  • 11
  • 4

1 Answers1

1

The things goes wrong when file_key_management plugin doesn't support newer formats and different key derivation method. But it might in the future, see this bug report.

For now you need to follow the instructions for encrypting the key file:

There are some important details to keep in mind about encrypting the key file, such as: The only algorithm that MariaDB currently supports to encrypt the key file is Cipher Block Chaining (CBC) mode of Advanced Encryption Standard (AES). The encryption key size can be 128-bits, 192-bits, or 256-bits. The encryption key is created from the SHA-1 hash of the encryption password. The encryption password has a max length of 256 characters.

https://mariadb.com/kb/en/file-key-management-encryption-plugin/#encrypting-the-key-file

$ sudo openssl enc -aes-256-cbc -md sha1 \
-pass file:/etc/mysql/encryption/keyfile.key \
-in /etc/mysql/encryption/keyfile \
-out /etc/mysql/encryption/keyfile.enc

If you encrypt with -aes-256-cbc make sure that the file_key_management_encryption_algorithm is not set to AES_CTR.

Good luck!

Carl Joel
  • 11
  • 1