Uploaded image for project: 'Percona Server for MongoDB'
  1. Percona Server for MongoDB
  2. PSMDB-241

WT per database encryption keys are not purged when database deleted


    • Type: Bug
    • Status: Done
    • Priority: Medium
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 3.6.8-2.0, 4.0.4-1
    • Component/s: None
    • Labels:


      This is something in between bug report and a question since it's not clear if this is by design or it's really a bug.
      So we have one major (external) key which is used to encrypt per database encryption keys, so the encryption keys are created when database is created, but it seems they are not destroyed when the database is dropped (at least from what I can see based on the file sizes since we don't have a tool to decrypt files).

      It seems you can purge those old keys by rotating the replica set instance. This way you can both rotate all the keys (external+per database) for one instance and also not have those old per database keys - but it is not clear if this is by design or not since if you have one instance and never rotate it the key database will just grow over time.

      I have created and destroyed 500000 databases and the keyfile has grown to 30M:

      tomislav.plavcic@qaserver-03:/ssd/tomislav/percona-server-mongodb-3.6.8-2.0/nodes/db/keydb$ ls -alh
      total 45M
      -rw------- 1 tomislav.plavcic percona   46 Oct 10 11:37 WiredTiger
      -rw------- 1 tomislav.plavcic percona   21 Oct 10 11:37 WiredTiger.lock
      -rw------- 1 tomislav.plavcic percona 1.1K Oct 11 02:50 WiredTiger.turtle
      -rw------- 1 tomislav.plavcic percona  32K Oct 11 02:50 WiredTiger.wt
      -rw------- 1 tomislav.plavcic percona 4.0K Oct 11 02:50 WiredTigerLAS.wt
      -rw------- 1 tomislav.plavcic percona 5.0M Oct 11 02:50 WiredTigerLog.0000000014
      -rw------- 1 tomislav.plavcic percona 5.0M Oct 11 02:50 WiredTigerPreplog.0000000001
      -rw------- 1 tomislav.plavcic percona 5.0M Oct 11 02:50 WiredTigerPreplog.0000000002
      -rw------- 1 tomislav.plavcic percona  30M Oct 11 02:50 key.wt
      -rw------- 1 tomislav.plavcic percona  16K Oct 11 02:50 parameters.wt

      This may or may not be the problem, but it needs to be clear how it's supposed to work.

        Smart Checklist


            Issue Links



                • Assignee:
                  igor.solodovnikov Igor Solodovnikov
                  tomislav.plavcic@percona.com Tomislav Plavcic
                • Votes:
                  0 Vote for this issue
                  1 Start watching this issue


                  • Created:

                    Time Tracking

                    Original Estimate - Not Specified
                    Not Specified
                    Remaining Estimate - 0 minutes
                    Time Spent - 1 day, 6 hours
                    1d 6h