Credentials Management for MariaDB Enterprise ColumnStore
This page is part of MariaDB's Documentation.
The parent of this page is: Credentials Management
Topics on this page:
Overview
Starting with MariaDB Enterprise ColumnStore 6.2.3, ColumnStore supports encryption for user passwords stored in Columnstore.xml
:
Encryption keys are created with the
cskeys
utilityPasswords are encrypted using the
cspasswd
utility
Compatibility
MariaDB Enterprise ColumnStore 6
MariaDB Enterprise ColumnStore 22.08
MariaDB Enterprise ColumnStore 23.02
Encryption Keys
MariaDB Enterprise ColumnStore stores its password encryption keys in the plain-text file /var/lib/columnstore/.secrets
.
The encryption keys are not created by default, but can be generated by executing the cskeys
utility:
$ cskeys
In a multi-node Enterprise ColumnStore cluster, every ColumnStore node should have the same encryption keys. Therefore, it is recommended to execute cskeys
on the primary server, and then copy /var/lib/columnstore/.secrets
to every other ColumnStore node and fix the file's permissions:
$ scp 192.0.2.1:/var/lib/columnstore/.secrets /var/lib/columnstore/.secrets
$ sudo chown mysql:mysql /var/lib/columnstore/.secrets
$ sudo chmod 0400 /var/lib/columnstore/.secrets
Encrypt a Password
To encrypt a password:
Generate an encrypted password using the cspasswd
utility:
$ cspasswd util_user_passwd
If the
--interactive
command-line option is specified,cspasswd
prompts for the password.
Set the encrypted password in Columnstore.xml
using the mcsSetConfig
utility:
$ sudo mcsSetConfig CrossEngineSupport Password util_user_encrypted_passwd
Decrypt a Password
To decrypt a password, execute the cspasswd
utility and specify the --decrypt
command-line option:
$ cspasswd --decrypt util_user_encrypted_passwd