我想在MariaDb中创建加密表。
以下是“静态数据加密”的文档:
- https://mariadb.com/kb/en/data-at-rest-encryption-overview/
- https://mariadb.com/kb/en/encryption-key-management/的
- https://mariadb.com/kb/en/innodb-encryption-overview/的
我做到了:
(echo -n "1;" ; openssl rand -hex 32 ) | sudo tee -a /etc/mysql/encryption/keyfile
(echo -n "2;" ; openssl rand -hex 32 ) | sudo tee -a /etc/mysql/encryption/keyfile
(echo -n "3;" ; openssl rand -hex 32 ) | sudo tee -a /etc/mysql/encryption/keyfile
(echo -n "4;" ; openssl rand -hex 32 ) | sudo tee -a /etc/mysql/encryption/keyfile
(echo -n "5;" ; openssl rand -hex 32 ) | sudo tee -a /etc/mysql/encryption/keyfile
sudo openssl rand -hex 128 > /etc/mysql/encryption/keyfile.key
sudo openssl enc -aes-256-cbc -md sha1 -pass file:/etc/mysql/encryption/keyfile.key -in /etc/mysql/encryption/keyfile -out /etc/mysql/encryption/keyfile.enc字符串
它创建3个文件:
ls -la
total 20
drwxr-xr-x 2 root root 4096 Oct 21 17:14 .
drwxr-xr-x 5 root root 4096 Oct 21 16:16 ..
-rw-r--r-- 1 root root 335 Oct 21 17:04 keyfile
-rw-r--r-- 1 root root 352 Oct 21 17:14 keyfile.enc
-rw-r--r-- 1 root root 257 Oct 21 17:09 keyfile.key型
然后在/etc/mysql/mariadb.conf.d/50-server.cnf中的[mysqld]部分添加:
plugin_load_add = file_key_management
file_key_management_filename = /etc/mysql/encryption/keyfile.enc
file_key_management_filekey = FILE:/etc/mysql/encryption/keyfile.key
file_key_management_encryption_algorithm = AES_CBC
innodb_encrypt_tables = ON
innodb_encrypt_temporary_tables = ON
innodb_encrypt_log = ON
innodb_encryption_threads = 4
innodb_encryption_rotate_key_age = 1型
然后重启mariadb:
systemctl start mariadb型
然后我尝试创建一个加密的表:
mysql -uroot -p
CREATE DATABASE foo;
USE foo;
CREATE TABLE a (i int) ENGINE=InnoDB ENCRYPTED=YES;型
但是我得到一个错误,我不知道为什么:
ERROR 1005 (HY000): Can't create table `foo`.`a` (errno: 140 "Wrong create options")型
当我没有指定ENCRYPTED=YES,或者如果我指定NO时,它可以工作:
CREATE TABLE b (i int) ENGINE=InnoDB;
CREATE TABLE b (i int) ENGINE=InnoDB ENCRYPTED=NO;型
然后:
show tables;
+---------------+
| Tables_in_foo |
+---------------+
| a |
| b |
+---------------+型
也许加密是打开默认与我的配置。我已经尝试了多个组合ON/OFF没有效果。
我也发现了这个查询,但它只给出了表“b”的结果,而没有给出表“a”的结果:
SELECT * FROM information_schema.innodb_tablespaces_encryption;
+-------+-------+-------------------+--------------------+-----------------+---------------------+--------------------------+------------------------------+----------------+----------------------+
| SPACE | NAME | ENCRYPTION_SCHEME | KEYSERVER_REQUESTS | MIN_KEY_VERSION | CURRENT_KEY_VERSION | KEY_ROTATION_PAGE_NUMBER | KEY_ROTATION_MAX_PAGE_NUMBER | CURRENT_KEY_ID | ROTATING_OR_FLUSHING |
+-------+-------+-------------------+--------------------+-----------------+---------------------+--------------------------+------------------------------+----------------+----------------------+
| 9 | foo/b | 0 | 0 | 0 | 0 | NULL | NULL | 1 | 0 |
+-------+-------+-------------------+--------------------+-----------------+---------------------+--------------------------+------------------------------+----------------+----------------------+型
并且:
SELECT st.SPACE, st.NAME, te.ENCRYPTION_SCHEME, te.ROTATING_OR_FLUSHING
FROM information_schema.INNODB_TABLESPACES_ENCRYPTION te
JOIN information_schema.INNODB_SYS_TABLES st ON te.SPACE = st.SPACE
+-------+-------+-------------------+----------------------+
| SPACE | NAME | ENCRYPTION_SCHEME | ROTATING_OR_FLUSHING |
+-------+-------+-------------------+----------------------+
| 9 | foo/b | 0 | 0 |
+-------+-------+-------------------+----------------------+型
也许/etc/mysql/mariadb.conf.d/50-server.cnf不是添加配置的好文件,但/etc/mysql/my.cnf(几乎)是空的。我尝试了多个文件,没有任何好的结果。安装是在Debian 12上使用apt install mariadb-client mariadb-server和mysql_secure_installation进行的。
编辑
我终于找到了一个解决方案,尽管文档说这是不必要的:
INSTALL PLUGIN FILE_KEY_MANAGEMENT SONAME 'file_key_management';型
1条答案
按热度按时间jyztefdp1#
经过几个小时的寻找,我终于找到了。
与文档中所写的相反(原文如此,“不需要额外的软件包安装”),插件必须安装:
字符串