All pages
Powered by GitBook
1 of 3

Security

MariaDB ColumnStore uses MariaDB Server’s security—encryption, access control, auditing, and firewall—for secure analytics.

ColumnStore Security Vulnerabilities

  1. About CVEs "About CVEs"

  2. CVEs fixed in ColumnStore "CVEs fixed in ColumnStore"

This page is about security vulnerabilities that have been fixed for or still affect MariaDB ColumnStore. In addition, links are included to fixed security vulnerabilities in MariaDB Server since MariaDB ColumnStore is based on MariaDB Server.

Sensitive security issues can be sent directly to the persons responsible for MariaDB security: security [AT] mariadb (dot) org.

About CVEs

CVE® stands for "Common Vulnerabilities and Exposures". It is a publicly available and free-to-use database of known software vulnerabilities maintained at

CVEs fixed in ColumnStore

The appropriate release notes listed here document CVEs fixed within a given release. Additional information can also be found at Security Vulnerabilities Fixed in MariaDB.

There are no known CVEs on ColumnStore-specific infrastructure outside of the MariaDB server at this time.

This page is licensed: CC BY-SA / Gnu FDL

Credentials Management

Overview

Starting with MariaDB Enterprise ColumnStore 6.2.3, ColumnStore supports encryption for user passwords stored in Columnstore.xml:

  • Encryption keys are created with the cskeys utility

  • Passwords are encrypted using the cspasswd utility

Compatibility

  • MariaDB Enterprise ColumnStore 6

  • MariaDB Enterprise ColumnStore 22.08

  • MariaDB Enterprise ColumnStore 23.02

Encryption Keys

MariaDB Enterprise ColumnStore stores its password encryption keys in the plain-text file /var/lib/columnstore/.secrets.

The encryption keys are not created by default, but can be generated by executing the cskeys utility:

$ cskeys

In a multi-node Enterprise ColumnStore cluster, every ColumnStore node should have the same encryption keys. Therefore, it is recommended to execute cskeys on the primary server, and then copy /var/lib/columnstore/.secrets to every other ColumnStore node and fix the file's permissions:

$ scp 192.0.2.1:/var/lib/columnstore/.secrets /var/lib/columnstore/.secrets
$ sudo chown mysql:mysql /var/lib/columnstore/.secrets
$ sudo chmod 0400 /var/lib/columnstore/.secrets

Encrypt a Password

To encrypt a password:

Generate an encrypted password using the cspasswd utility:

$ cspasswd util_user_passwd

  • If the --interactive command-line option is specified, cspasswd prompts for the password.

Set the encrypted password in Columnstore.xml using the mcsSetConfig utility:

$ sudo mcsSetConfig CrossEngineSupport Password util_user_encrypted_passwd

Decrypt a Password

To decrypt a password, execute the cspasswd utility and specify the --decrypt command-line option:

$ cspasswd --decrypt util_user_encrypted_passwd

This page is: Copyright © 2025 MariaDB. All rights reserved.