Ukulindela ukuqala kobhaliso olutsha lwekhosi siyaqhubeka nokupapasha uthotho lwamanqaku malunga ne-encryption kwi-MySQL.
Kwinqaku elandulelayo kolu ngcelele, siye saxubusha . Namhlanje, ngokusekelwe kulwazi olufunyenwe ngaphambili, makhe sijonge ukujikeleza kwezitshixo eziphambili.
Ukujikeleziswa kwesitshixo esiyintloko kubandakanya ukuvelisa isitshixo esitsha esiyintloko kunye noguqulelo oluntsonkothileyo izitshixo zesithuba setafile (ezigcinwe kwizihloko zesithuba setafile) ngesi qhosha sitsha.
Masikhumbule ukuba ijongeka njani iheader yendawo yetafile efihliweyo:
Ukususela kwinqaku elidlulileyo, siyazi ukuba umncedisi ufunda iiheader zazo zonke iindawo zetafile ezifihliweyo ekuqaleni kwaye ukhumbula i-ID enkulu ye-KEY. Umzekelo ukuba sineetafile ezintathu ezine-KEYI-ID = 3 kunye netafile enye ene-KEYI-ID = 4, ngoko i-ID yesitshixo esiphezulu iya kuba yi-4. Masibize le-ID EZIQINISO - MAX KEY ID.
Isebenza njani i-master key rotation
1. Umsebenzisi uphumeza ALTER INNODB MASTER KEY.
2. Umncedisi ucela i-keyring ukuvelisa isitshixo esitsha esikhulu kunye ne-UUID yomncedisi kunye ne-KEYID ilingana nenye dibanisa MAXKEYIIsazisi. Ngoko sifumana i-id yesitshixo esilingana ne-INNODBISIQINISO-UUID-(MAXKEYIIsazisi + 1). Ekuveliseni ngempumelelo isitshixo esikhulu, i-ID ye-MAX KEY inyuswa ngesinye (oko kukuthi MAXKEYIID=MAXKEYIIsazisi + 1).
3. Umncedisi uhlola zonke izithuba zetafile ezifihliweyo ngesitshixo esikhulu, kunye nesithuba setafile nganye:
-
ifihla iqhosha lesithuba setafile ngeqhosha elilawulayo elitsha;
-
ihlaziya id yesitshixo kwi-MAX entshaKEYIisazisi;
-
ukuba i-UUID yahlukile kumncedisi we UUID, ngoko hlaziya umncedisi we UUID.
Njengoko sisazi, i-ID yeSitshixo esiPhakathi esisetyenzisiweyo ukuguqulela uguqulelo oluntsonkothileyo kwitafile siqulathe i-UUID kunye ne-ID engu- KEY efundwayo kwi-headspace yetafile. Into esiyenzayo ngoku kukuhlaziya olu lwazi kwisihloko sofihlo lwesithuba setafile ukuze umncedisi afumane isitshixo esichanekileyo.
Ukuba sineendawo zeetafile ezivela kwiindawo ezahlukeneyo, ezifana neendawo ezahlukeneyo zokugcinwa kwenkxaso, ngoko banokusebenzisa izitshixo eziphambili. Onke la maqhosha enkosi aya kufuna ukufunyanwa kwindawo yokugcina xa umncedisi eqalisiwe. Oku kunokucothisa uqalo lomncedisi, ngakumbi ukuba ivenkile yesitshixo yecala lomncedisi iyasetyenziswa. Ngokujikeleziswa kwesitshixo esiyintloko, siphinda siguqulela ngokuntsonkothileyo izitshixo zesithuba setafile ngesitshixo esinye esifanayo kuzo zonke izithuba zetafile. Umncedisi ngoku kufuneka afumane isitshixo esiyintloko esinye kuphela ekuqaleni.
Oku, kunjalo, sisiphumo nje esimnandi. Eyona njongo iphambili yokujikelezisa isitshixo kukwenza iseva yethu ikhuseleke ngakumbi. Kwimeko apho isitshixo esiyintloko siye sabiwa ngandlelβ ithile kwigumbi elingaphantsi (umzekelo, kwiseva yeVault), kuyenzeka ukuvelisa isitshixo esitsha esikhulu kwaye uguqulele ngokuntsonkothileyo izitshixo zesithuba setafile, singasebenzi isitshixo esibiweyo. Sikhuselekile...phantse.
Kwinqaku langaphambili, ndithethe malunga nokuba isitshixo sendawo yetafile sibiwe njani, umntu wesithathu angasisebenzisa ukucima idatha. Ngaphandle kokuba kukho ukufikelela kwidiski yethu. Ukuba isitshixo esiyintloko sibiwe kwaye unokufikelela kwidatha efihliweyo, ungasebenzisa isitshixo esibiweyo ukukhulula iqhosha lendawo yetafile kwaye ufumane idatha efihliweyo. Njengoko ubona, ukujikeleza kwe-key key akuncedi kule meko. Siguqulela ngokuntsonkothileyo iqhosha lendawo yetafile ngeqhosha eliyintloko elitsha, kodwa elona qhosha lisetyenzisiweyo ukufihla/ukucoca idatha lisahleli lifana. Ke ngoko, "i-hacker" inokuqhubeka nokuyisebenzisa ukucima idatha. Ngaphambili ndiyikhankanye loo nto ingenza uguqulelo oluntsonkothileyo lwendawo yetafile, hayi nje iqhosha letafile elilula lokuguqulela kwakhona ufihlo. Olu phawu lubizwa ngokuba yimisonto yoguqulelo oluntsonkothileyo. Nangona kunjalo, oku kusebenza kusengumfuniselo okwangoku.
Ukujikeleziswa kwesitshixo esingundoqo kuluncedo xa isitshixo esiyintloko sibiwe, kodwa akukho ndlela yokuba umhlaseli ayisebenzise kwaye aguqule ukuntsonkotha kwezitshixo zesithuba setafile.
Funda ngokugqithisileyo:
umthombo: www.habr.com