我正在尝试在MariaDB 10.6.3服务器(Rocky Linux)中启用文件密钥管理加密。我正在使用开放式ssl生成密钥文件。我已经按照此指南https://mariadb.com/resources/blog/mariadb-encryption-tde-using-mariadbs-file-key-management-encryption-plugin/
echo "1;"$(openssl rand -hex 32) > /etc/mysql/encryption/keyfile
openssl rand -hex 128 > /etc/mysql/encryption/keyfile.key
生成加密文件时使用
openssl enc -aes-256-cbc -md sha1 -pass file:/etc/mysql/encryption/keyfile.key -in /etc/mysql/encryption/keyfile -out /etc/mysql/encryption/keyfile.enc
我收到了警告
***WARNING : deprecated key derivation used.
Using -iter or -pbkdf2 would be better.
由于上面的代码生成了一个警告,所以我使用了
openssl enc -aes-256-cbc -md sha512 -pbkdf2 -iter 100000
-pass file:/etc/mysql/encryption/keyfile.key -in /etc/mysql/encryption/keyfile -out /etc/mysql/encryption/keyfile.enc
这是我在server.cnf中添加的配置
# File Key Management Plugin
plugin_load_add = file_key_management
file_key_management_filename = /etc/mysql/encryption/keyfile.enc
file_key_management_filekey = FILE:/etc/mysql/encryption/keyfile.key
file_key_management_encryption_algorithm = AES_CTR
# InnoDB Encryption Setup
innodb_encrypt_tables = ON
innodb_encrypt_log = ON
innodb_encrypt_temporary_tables = ON
innodb_encryption_threads = 4
innodb_encryption_rotation_iops = 2000
# Temp & Log Encryption
encrypt_tmp_disk_tables = ON
encrypt_tmp_files = ON
encrypt_binlog = ON
aria_encrypt_tables = ON
保存配置后,当我尝试重新启动MariaDB时,它无法启动。MariaDB状态产生
[ERROR] mariadbd: Cannot decrypt /etc/mysql/encryption/keyfile.enc. Wrong key?
[ERROR] Plugin 'file_key_management' init function returned error.
[ERROR] Plugin 'file_key_management' registration as a ENCRYPTION failed.
[ERROR] InnoDB: cannot enable encryption, encryption plugin is not available
[ERROR] Plugin 'InnoDB' init function returned error.
[ERROR] Plugin 'InnoDB' registration as a STORAGE ENGINE failed.
[Note] Plugin 'FEEDBACK' is disabled.
[ERROR] Failed to enable encryption of temporary files
[ERROR] Aborting
systemd[1]: mariadb.service: Main process exited, code=exited, status=1/FAILURE
systemd[1]: mariadb.service: Failed with result 'exit-code'.
systemd[1]: Failed to start MariaDB 10.6.3 database server.
我已经检查了/var/lib/mysql/和file_key_management. so文件是否可用。
我肯定问题出在-pbkdf2 -iter 100000
的加法上。
谁能告诉我哪里出了问题?
1条答案
按热度按时间62o28rlo1#
当file_key_management插件不支持更新的格式和不同的密钥派生方法时,事情会出错。但将来可能会,请参阅this bug report。
现在,您需要按照说明对密钥文件进行加密:
关于加密密钥文件,需要记住一些重要的细节,例如:MariaDB目前支持的唯一加密密钥文件的算法是高级加密标准(AES)的密码块链接(CBC)模式。加密密钥大小可以是128位、192位或256位。加密密钥是通过加密密码的SHA-1散列创建的。加密密码的最大长度为256个字符。
https://mariadb.com/kb/en/file-key-management-encryption-plugin/#encrypting-the-key-file
如果使用-aes-256-cbc加密,请确保文件密钥管理加密算法未设置为AES_CTR。
祝你好运!