Decrypt InnoDB Redo Logs
When data-at-rest encryption is enabled in MariaDB Enterprise Server, InnoDB can encrypt redo logs. If you later disable encryption or need to recover data from encrypted redo logs, you may need to decrypt the redo log files before MariaDB can process them.
Stop MariaDB Enterprise Server
sudo systemctl stop mariadbLocate the redo log files By default, InnoDB redo log files are stored in the data directory, typically as:
ib_logfile0 ib_logfile1or in the
#innodb_redodirectory for MariaDB versions using the new redo log format.Prepare configuration for decryption
Make sure
innodb_redo_log_encryptis set toON(to ensure the redo logs are recognized as encrypted).Ensure that the key management plugin (such as
file_key_managementoraws_key_management) is configured exactly as it was when the redo logs were created.
Example:
[mysqld] plugin_load_add = file_key_management file_key_management_filename = /etc/mysql/encryption/keyfile.enc file_key_management_filekey = FILE:/etc/mysql/encryption/keyfile.key innodb_redo_log_encrypt = ONStart MariaDB with decryption enabled
Start the server normally. MariaDB will automatically attempt to decrypt redo logs at startup using the configured key management plugin.
If successful, the redo logs are decrypted on-the-fly and crash recovery proceeds.
sudo systemctl start mariadbDisable redo log encryption if no longer required After recovery or once you confirm that decrypted redo logs are no longer needed, you can disable redo log encryption in the configuration:
[mysqld] innodb_redo_log_encrypt = OFFThen restart the server. New redo logs will be created in plaintext.
Verification
You can verify the redo log encryption status with:
SHOW GLOBAL VARIABLES LIKE 'innodb_redo_log_encrypt';Example output:
+------------------------+-------+
| Variable_name | Value |
+------------------------+-------+
| innodb_redo_log_encrypt| OFF |
+------------------------+-------+Last updated
Was this helpful?