MariaDBのTDEでのhashicorp plugin利用(AlmaLinux8)
目的
- AlmaLinux8で提供されているMariaDB 10.5でTransparent Data Encryptionを利用する
- 鍵・暗号化プラグインとしてMariaDB 10.9向けのhashicorp key management pluginを利用する
環境
- dockerのalmalinux:8イメージのコンテナ
方法
dockerコンテナを作成してコンテナ内に移動
必要パッケージをインストール
# dnf -y install rpm-build yum-utils git # dnf config-manager --set-enable powertools
- MariaDBのバージョンを10.3から10.5に切り替え
# dnf module reset mariadb # dnf module enable mariadb:10.5
- 作業用の一般アカウントを作成して、MariaDBのソースパッケージを取得
# adduser dummy # su - dummy $ dnf download --source mariadb-server
- MariaDBのソースパッケージをインストール
$ rpm -ivh mariadb-10.5.13-1.module_el8.6.0+2761+593e5e59.src.rpm
- 作業用の一般アカウントからログアウトし、パッケージ作成に必要な各種ライブラリをインストール
$ exit # dnf -y install Judy # rpm --nodeps -ivh https://repo.almalinux.org/almalinux/8/PowerTools/x86_64/os/Packages/Judy-devel-1.0.5-18.module_el8.6.0+2867+72759d2f.x86_64.rpm # dnf builddep /home/dummy/rpmbuild/SPECS/mariadb.spec
- hashicorp key management pluginで必要となるパッケージをインストール
# dnf -y install libcurl-devel
- specファイルからソースコードを展開し、パッチを適用
# su - dummy $ rpmbuild --bp ./rpmbuild/SPECS/mariadb.spec
$ git clone -b 10.9 --single-branch --depth 1 https://github.com/MariaDB/server.git $ cp -ar ./server/plugin/hashicorp_key_management ./rpmbuild/BUILD/mariadb-10.5.13-downstream_modified/plugin/
- hashicorp key management pluginをコンパイル
$ cd rpmbuild/BUILD/mariadb-10.5.13-downstream_modified/ $ cmake . $ make hashicorp_key_management
- MariaDB Server 10.5をインストール
$ exit # dnf -y install mariadb-server
# cp /home/dummy/rpmbuild/BUILD/mariadb-10.5.13-downstream_modified/plugin/hashicorp_key_management/hashicorp_key_management.so /usr/lib64/mariadb/plugin/
- hashicorp vaultをインストール
# dnf config-manager --add-repo https://rpm.releases.hashicorp.com/RHEL/hashicorp.repo # dnf -y install vault # setcap -r /usr/bin/vault
- hashicorp vaultの初期設定
# mkdir -p /root/vault/data
# cat <<EOF > /root/vault/config.hcl
storage "file" {
path = "/root/vault/data"
}
# for normal docker only
disable_mlock = "true"
listener "tcp" {
address = "127.0.0.1:8200"
tls_cert_file = "/root/vault/server.crt"
tls_key_file = "/root/vault/server.key"
}
EOF
# openssl genrsa 2048 > /root/vault/ca.key
# openssl req -new -key /root/vault/ca.key -subj "/CN=ca.local" > /root/vault/ca.csr
# openssl x509 -req -in /root/vault/ca.csr -signkey /root/vault/ca.key -days 365 -out /root/vault/ca.crt
# openssl genrsa 2048 > /root/vault/server.key
# echo 'subjectAltName = DNS:localhost, IP=127.0.0.1' > /root/vault/san.ext
# openssl req -new -key /root/vault/server.key -subj "/CN=localhost" > /root/vault/server.csr
# openssl x509 -req -in /root/vault/server.csr -CA /root/vault/ca.crt -CAkey /root/vault/ca.key -CAcreateserial -days 365 -extfile /root/vault/san.ext -out /root/vault/server.crt
- hashicorp vaultの初期化
# vault server -config=/root/vault/config.hcl & # VAULT_CACERT=/root/vault/ca.crt vault operator init
出力される「Unseal Key」と「Root Token」を記録
hashicorp vaultを利用できるようにunsealを実施
# VAULT_CACERT=/root/vault/ca.crt vault operator unseal Unseal Key (will be hidden): [Unseal Keyを入力] ※標準設定で3個のUnseal Keyの入力が必要なので、上記処理を異なるUnseal Keyで3回繰り返す
- MariaDBのTDEで利用するKVストアを有効化
# VAULT_CACERT=/root/vault/ca.crt vault login Token (will be hidden): [Root Tokenを入力] # VAULT_CACERT=/root/vault/ca.crt vault secrets enable --path /data -version=2 kv
- データ暗号化鍵を生成
# VAULT_CACERT=/root/vault/ca.crt vault kv put /data/1 data=$(openssl rand -hex 32)
- TDE用のアクセストークン設定
# VAULT_CACERT=/root/vault/ca.crt vault policy write tde-policy - <<EOF
path "data/*" {
capabilities = ["read", "list"]
}
path "sys/mounts/data/*" {
capabilities = ["read", "list"]
}
EOF
# VAULT_CACERT=/root/vault/ca.crt vault token create -field token -policy=tde-policy
※出力されるトークンを記録する
- MariaDBの起動
# dnf -y install sudo # /usr/bin/mysql_install_db --user=mysql # sudo -u mysql /usr/libexec/mysqld --basedir=/usr &
- 暗号化前の動作検証
# mysql -uroot -e 'show databases' +--------------------+ | Database | +--------------------+ | information_schema | | mysql | | performance_schema | | test | +--------------------+ # mysql -uroot -e 'create database dummy' # mysql -uroot -e 'show databases' +--------------------+ | Database | +--------------------+ | dummy | | information_schema | | mysql | | performance_schema | | test | +--------------------+ # mysql -uroot dummy -e 'create table example(id int, name char(40), primary key(id))' # mysql -uroot dummy -e 'insert into example values(1, "abcd")' # mysql -uroot dummy -e 'insert into example values(2, "efgh")' # mysql -uroot dummy -e 'select * from example' +----+------+ | id | name | +----+------+ | 1 | abcd | | 2 | efgh | +----+------+ # cat /var/lib/mysql/ib_logfile0 | strings | egrep 'abcd|efgh' abcd efgh
- TDEおよびhashicorp key management pluginを有効化
# cp /root/vault/ca.crt /etc/my.cnf.d/ # cat <<EOF > /etc/my.cnf.d/hashicorp.cnf [mariadb] plugin-load-add=hashicorp_key_management.so hashicorp-key-management-vault-url="https://127.0.0.1:8200/v1/data" hashicorp-key-management-token="[tokenを設定]" hashicorp-key-management-vault-ca=/etc/my.cnf.d/ca.crt hashicorp-key-management-timeout=15 hashicorp-key-management-max-retries=3 encrypt-binlog=1 encrypt-tmp-disk-tables=1 encrypt-tmp-files=1 innodb-default-encryption-key-id=1 innodb-encrypt-log=1 innodb-encrypt-tables=1 innodb-encrypt-temporary-tables=1 innodb-encryption-rotate-key-age=1 innodb-encryption-rotation-iops=100 innodb-encryption-threads=4 EOF
- 設定反映のためMariaDBを再起動
# kill $(pidof mysqld) # sudo -u mysql /usr/libexec/mysqld --basedir=/usr &
- MariaDBのパラメータで暗号化状態を確認
# mysql -uroot -e 'show variables like "%encrypt%"'
+----------------------------------+-------+
| Variable_name | Value |
+----------------------------------+-------+
| aria_encrypt_tables | OFF |
| encrypt_binlog | ON |
| encrypt_tmp_disk_tables | ON |
| encrypt_tmp_files | ON |
| innodb_default_encryption_key_id | 1 |
| innodb_encrypt_log | ON |
| innodb_encrypt_tables | ON |
| innodb_encrypt_temporary_tables | ON |
| innodb_encryption_rotate_key_age | 1 |
| innodb_encryption_rotation_iops | 100 |
| innodb_encryption_threads | 4 |
+----------------------------------+-------+
# mysql -uroot -e 'select * from information_schema.INNODB_TABLESPACES_ENCRYPTION\G'
*************************** 1. row ***************************
SPACE: 0
NAME: innodb_system
ENCRYPTION_SCHEME: 1
KEYSERVER_REQUESTS: 1
MIN_KEY_VERSION: 1
CURRENT_KEY_VERSION: 1
KEY_ROTATION_PAGE_NUMBER: NULL
KEY_ROTATION_MAX_PAGE_NUMBER: NULL
CURRENT_KEY_ID: 1
ROTATING_OR_FLUSHING: 0
*************************** 2. row ***************************
SPACE: 2
NAME: mysql/innodb_index_stats
ENCRYPTION_SCHEME: 1
KEYSERVER_REQUESTS: 1
MIN_KEY_VERSION: 1
CURRENT_KEY_VERSION: 1
KEY_ROTATION_PAGE_NUMBER: NULL
KEY_ROTATION_MAX_PAGE_NUMBER: NULL
CURRENT_KEY_ID: 1
ROTATING_OR_FLUSHING: 0
*************************** 3. row ***************************
SPACE: 5
NAME: dummy/example
ENCRYPTION_SCHEME: 1
KEYSERVER_REQUESTS: 1
MIN_KEY_VERSION: 1
CURRENT_KEY_VERSION: 1
KEY_ROTATION_PAGE_NUMBER: NULL
KEY_ROTATION_MAX_PAGE_NUMBER: NULL
CURRENT_KEY_ID: 1
ROTATING_OR_FLUSHING: 0
*************************** 4. row ***************************
SPACE: 1
NAME: mysql/innodb_table_stats
ENCRYPTION_SCHEME: 1
KEYSERVER_REQUESTS: 1
MIN_KEY_VERSION: 1
CURRENT_KEY_VERSION: 1
KEY_ROTATION_PAGE_NUMBER: NULL
KEY_ROTATION_MAX_PAGE_NUMBER: NULL
CURRENT_KEY_ID: 1
ROTATING_OR_FLUSHING: 0
*************************** 5. row ***************************
SPACE: 3
NAME: mysql/transaction_registry
ENCRYPTION_SCHEME: 1
KEYSERVER_REQUESTS: 1
MIN_KEY_VERSION: 1
CURRENT_KEY_VERSION: 1
KEY_ROTATION_PAGE_NUMBER: NULL
KEY_ROTATION_MAX_PAGE_NUMBER: NULL
CURRENT_KEY_ID: 1
ROTATING_OR_FLUSHING: 0
*************************** 6. row ***************************
SPACE: 4
NAME: mysql/gtid_slave_pos
ENCRYPTION_SCHEME: 1
KEYSERVER_REQUESTS: 1
MIN_KEY_VERSION: 1
CURRENT_KEY_VERSION: 1
KEY_ROTATION_PAGE_NUMBER: NULL
KEY_ROTATION_MAX_PAGE_NUMBER: NULL
CURRENT_KEY_ID: 1
ROTATING_OR_FLUSHING: 0
- ファイルの暗号化状態を確認
# cat /var/lib/mysql/ib_logfile0 | strings | egrep 'abcd|efgh'
#
# cat /var/lib/mysql/ib_logfile0 | strings | head -20
MariaDB 10.5.13
X`;a
B{9 K
YX0WA
mLos
w\q:
$Q{e
orGR
dX(m
,{^Ca
b)Q!
=9J<
tZeT
tu1v
}+m3
l7J Z
]9Zx
BCI:
b57l%
}"?1
# cat /var/lib/mysql/dummy/example.ibd | strings | egrep 'abcd|efgh'
#
# cat /var/lib/mysql/dummy/example.ibd | strings | head -20
/:LS
fi?;
k"I(
J(7O
\z?+
F8?,
5"3Z
rvP_
8?.CL
^:4+
{)}]i
P%F
)`tN
&Ywt
Wbce
2+Jjg6
l!0t
vxF6N
C.yL
v8bJ
