Keyring framework should be capable of rotating system keys. This feature is needed by different encryption components (binlog encryption, rotation-enabled tablespaces). Please note, that by system key we mean all system keys that starts with a prefix percona_ , for instance: percona_binlog). This feature does not extend keyring framework API, but adds new functionalities to existing API functions:
- calling my_key_generate or my_key_store with system key id will create rotation-enabled system key in keyring. (For instance calling my_key_generate("percona_binlog", "AES", NULL, 16) will add key percona_binlog:0 to keyring. The ':0' part of the system key id is the version assigned to the key).
- calling my_key_generate or my_key_store with existing system key id will rotate the key to a new version. (for instance percona_binlog:0 exist in keyring, calling my_key_generate("percona_binlog", "AES", NULL, 16) will add key percona_binlog:1 to the keyring)
- calling my_key_fetch with system key id will fetch the latest version of the system key. For instance if there are two keys in the keyring percona_binlog:0 and percona_binlog:1 - my_key_fetch("percona_binlog" (...)) will fetch percona_binlog:1
- calling my_key_remove on system key will result in error - as it is not possible to remove system key from keyring (at least not from keyring API)
Implementation of this feature needs to support binlog key rotation. This, apart from extending the keyring framework also includes providing: - rotate_system_key function. With this function super users will be capable of rotating binlog key, by calling rotate_system_key("percona_binlog"). As mentioned, users will need to have super privilege to be able to rotate the key. - binlog encryption should be extended - so it would be capable of working with different versions of percona_binlog system key
Implementation of this feature also includes a convenience function parse_system_key that helps to separate key id and key version from system key data.
该提问来源于开源项目:percona/percona-server
