Mukutarisira kutanga kwekunyoresa kutsva kwekosi isu tinoenderera mberi nekuburitsa nhevedzano yezvinyorwa nezve encryption muMySQL.
Munyaya yakapfuura munhevedzano ino, takakurukura . Nhasi, zvichibva pazivo yakawanikwa kare, ngatitarisei kutenderera kwemakiyi makuru.
Master kiyi kutenderera kunosanganisira kugadzira kiyi nyowani tenzi uye encrypting zvakare makiyi epatafura (ayo anochengetwa mumusoro wetafura) neiyi kiyi nyowani.
Ngatiyeukei kuti musoro weiyo encrypted tablespace inoita sei:
Kubva kuchinyorwa chakapfuura, tinoziva kuti sevha inoverenga misoro yeese akavharidzirwa matafura epatafura pakutanga uye anoyeuka yakakura KEY ID. Semuenzaniso kana tine matafura matatu ane KEYID = 3 uye tafura imwe ine KEYID = 4, ipapo iyo yakanyanya kiyi ID ichava 4. Ngatishevedze iyi KEY ID - MAX KEY ID.
Mashandisiro anoita master key rotation
1. Mushandisi anoita ALTER INNODB MASTER KEY.
2. Sevha inokumbira kiyi kuti igadzire kiyi nyowani ine server UUID uye KEYID yakaenzana nekuwedzera MAXCHINHUID. Saka tinowana master kiyi id yakaenzana neINNODBKEY-UUID-(MAXCHINHUID + 1). Pachizvarwa chakabudirira chekiyi master, MAX KEY ID inowedzerwa neimwe (kureva MAXCHINHUID=MAXCHINHUID + 1).
3. Sevha inoongorora nzvimbo dzese dzetafura dzakavharirwa nekiyi master, uye kune yega yega tablespace:
-
encrypts kiyi yepatafura nekiyi nyowani master;
-
inogadziridza kiyi id kune itsva MAXCHINHUID;
-
kana iyo UUID yakasiyana nesevha UUID, wobva wagadzirisa sevha UUID.
Sezvatinoziva, iyo Master Key ID inoshandiswa kutsikisa tafura ine UUID uye KEY ID inoverengwa kubva patafuraspace musoro. Zvatiri kuita izvozvi kugadzirisa ruzivo urwu mumusoro wetafura space encryption kuitira kuti sevha igamuchire kiyi chaiyo master.
Kana isu tiine matafura nzvimbo kubva kwakasiyana nzvimbo, senge akasiyana backups, saka vanogona kushandisa akasiyana master kiyi. Ese aya makiyi makiyi achada kudzoserwa kubva kune repository kana sevha yatangwa. Izvi zvinogona kudzikamisa server kutanga, kunyanya kana server-side kiyi chitoro ichishandiswa. Nekutenderera kiyi ye master, tinonyora zvakare makiyi epatablepace ane kiyi imwe chete yakafanana kune ese matafura. Sevha inofanirwa kugamuchira kiyi imwe chete yekutanga pakutanga.
Izvi, hongu, zvinongofadza zvinofadza. Chinangwa chikuru che master key rotation ndechekuita kuti server yedu ive yakachengeteka. Muchiitiko chekuti kiyi yatenzi yakabiwa neimwe nzira kubva muvhavha (semuenzaniso, kubva kuVault Server), zvinokwanisika kugadzira kiyi nyowani uye encrypt zvakare makiyi epatafura, kukanganisa kiyi yakabiwa. Takachengeteka...zvinenge.
Muchinyorwa chakapfuura, ndakataura nezvekuti kana kiyi yepatafura yabiwa sei, wechitatu anogona kuishandisa kuburitsa data. Kunze kwekuti kune mukana kune diski yedu. Kana kiyi yeshe yakabiwa uye iwe uchikwanisa kuwana iyo yakavharidzirwa data, unogona kushandisa yakabiwa master kiyi kudhipfenyura kiyi yepatafura uye kuwana iyo data yakavharwa. Sezvauri kuona, kutenderera kwekiyi kiyi hakubatsiri mune iyi kesi. Isu tinonyora zvakare kiyi yetafura space nekiyi nyowani master, asi kiyi chaiyo inoshandiswa encrypt/decrypt iyo data inoramba yakafanana. Naizvozvo, iyo "hacker" inogona kuramba ichishandisa iyo decrypt data. Ini ndakambotaura izvozvo inogona kuita yechokwadi tablespace re-encryption, kwete kungoti nyore tablespace kiyi re-encryption. Ichi chinyorwa chinonzi encryption threads. Zvisinei, kushanda uku kuchiri kuedza panguva ino.
Master kiyi yekutenderera inobatsira kana kiyi yatenzi yabiwa, asi hapana nzira yekuti anorwisa aishandise uye nekudhiripta makiyi epatafura.
Verenga zvimwe:
Source: www.habr.com