Credentials Management

MariaDB ColumnStore credentials management (6.2.3+) encrypts ColumnStore.xml passwords via the cskeys and cspasswd utilities, with keys stored at /var/lib/columnstore/.secrets.

Overview

Starting with MariaDB ColumnStore 6.2.3, ColumnStore supports encryption for user passwords stored in ColumnStore.xml:

Encryption keys are created with the cskeys utility
Passwords are encrypted using the cspasswd utility

Compatibility

MariaDB ColumnStore 6
MariaDB ColumnStore 22.08
MariaDB ColumnStore 23.02

Encryption Keys

MariaDB ColumnStore stores its password encryption keys in the plain-text file /var/lib/columnstore/.secrets.

The encryption keys are not created by default, but can be generated by executing the cskeys utility:

$ cskeys

In a multi-node Enterprise ColumnStore cluster, every ColumnStore node should have the same encryption keys. Therefore, it is recommended to execute cskeys on the primary server and then copy /var/lib/columnstore/.secrets to every other ColumnStore node and fix the file's permissions:

$ scp 192.0.2.1:/var/lib/columnstore/.secrets /var/lib/columnstore/.secrets
$ sudo chown mysql:mysql /var/lib/columnstore/.secrets
$ sudo chmod 0400 /var/lib/columnstore/.secrets

Encrypt a Password

To encrypt a password:

Generate an encrypted password using the cspasswd utility:

$ cspasswd util_user_passwd

If the --interactive command-line option is specified, cspasswd prompts for the password.

Set the encrypted password in ColumnStore.xml using the mcsSetConfig utility:

$ sudo mcsSetConfig CrossEngineSupport Password util_user_encrypted_passwd

Decrypt a Password

To decrypt a password, execute the cspasswd utility and specify the --decrypt command-line option:

$ cspasswd --decrypt util_user_encrypted_passwd

PreviousColumnStore Security Vulnerabilities NextUse Cases

Last updated 1 month ago

Was this helpful?