Create MariaDB encryption keys in buendia-mysql postinst.

projectbuendia · Feb 7, 2020 · 81d4197 · 81d4197 · zestyping · Feb 7, 2020
1 parent 98dc9ef
commit 81d4197
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 1 deletion.
diff --git a/packages/buendia-mysql/control/postinst b/packages/buendia-mysql/control/postinst
@@ -14,6 +14,28 @@ set -e; . /usr/share/buendia/utils.sh
 
 case $1 in
     configure)
+        if [ ! -r /etc/mysql/keyfile.enc ]; then
+            # Key #1 is required by MariaDB for encrypting system data. It will be used
+            # for other purposes as well, if no other keys are defined.
+            # https://mariadb.com/kb/en/encryption-key-management/#using-multiple-encryption-keys
+            ( echo -n '1;'; openssl rand -hex 32 ) > /etc/mysql/keyfile
+
+            # Encrypt the keyfile using the Buendia system key and remove the plaintext version
+            openssl enc -aes-256-cbc -md sha1 -in /etc/mysql/keyfile -out /etc/mysql/keyfile.enc \
+                    -pass file:/usr/share/buendia/system.key
+            rm /etc/mysql/keyfile
+        fi
+
+        # Ensure that MariaDB can read the encrypted key.
+        chown root:mysql /etc/mysql/keyfile.enc
+        chmod 640 /etc/mysql/keyfile.enc
+
+        # Ensure that MariaDB can read the system key.
+        chown root:mysql /usr/share/buendia/system.key
+        chmod 640 /usr/share/buendia/system.key
+
+        service mysql restart
+
         buendia-reconfigure mysql
         service cron start
         ;;

diff --git a/packages/buendia-mysql/control/preinst b/packages/buendia-mysql/control/preinst
@@ -13,6 +13,9 @@
 set -e; . /usr/share/buendia/utils.sh
 
 case $1 in
-    install|upgrade) service_if_exists cron stop ;;
+    install|upgrade) 
+        service_if_exists cron stop
+        service_if_exists mysql stop
+        ;;
     *) exit 1
 esac