The Ultimate Guide to High Availability with MariaDB

InnoDB / XtraDB Encryption Keys

You are viewing an old version of this article. View the current version here.

Key management and encryption plugins support using multiple encryption keys. Each encryption key can be defined with a different 32-bit integer as a key identifier.

The default encryption key used by InnoDB to encrypt tablespaces is configured by setting the innodb_default_encryption_key_id system variable. For example:

SET GLOBAL innodb_encryption_threads=4;
SET GLOBAL innodb_encrypt_tables=ON;
SET GLOBAL innodb_default_encryption_key_id=3;
CREATE TABLE t (i int) ENGINE=InnoDB;

When manually encrypting an InnoDB table, a different key can be chosen by adding the ENCRYPTION_KEY_ID table option to the CREATE TABLE statement. For example:

CREATE TABLE t (i int) ENGINE=InnoDB ENCRYPTED=YES ENCRYPTION_KEY_ID=3;

This is only supported for InnoDB tables that have their own file-per-table tablespaces.

When automatically encrypting an InnoDB table, you can not change the table's encryption key with the ENCRYPTION_KEY_ID table option. Automatically encrypted tables will always be encrypted by the encryption key set by innodb_default_encryption_key_id. If you try to do so, then you will likely see a Wrong create options error message. See MDEV-17230 about that.

InnoDB tables in the system tablespace will also always be encrypted by the encryption key set by innodb_default_encryption_key_id.

InnoDB uses the encryption key with ID 1 to encrypt the InnoDB redo log.

Key Rotation

When your key management and encryption plugin provides the relevant support, you can automatically rotate and version your encryption keys. For example, the AWS key management plugin supports key rotation, but the file key management plugin does not.

When an encryption key is rotated and a new version of the key is created, then InnoDB's background encryption threads will re-encrypt any InnoDB pages that are encrypted with the old version of the key. The maximum age for an encryption key can be configured by setting the innodb_encryption_rotate_key_age system variable. Any InnoDB page encrypted with a key version older than this value is automatically re-encrypted in the background to use a more current key version. When innodb_encryption_rotate_key_age is set to a non-zero value, the background encryption threads are constantly checking pages to determine if any pages are encrypted with a key version that is too old. These constant key version checks can lead to high CPU usage in some cases.

Key rotation for the InnoDB redo log is only supported in MariaDB 10.4.0 and later. See MDEV-12041 about that.

Disabling Background Key Rotation Operations

Background key rotation operations can be disabled by setting innodb_encryption_rotate_key_age=0. This can be useful if the constant key version checks performed by InnoDB's background encryption threads are leading to excessive CPU usage. This is especially useful when using key management and encryption plugins such as file key management plugin that do not support key rotation. See MDEV-14180 about that.

However, there are important things that need to be considered when disabling background key rotation operations. For example, InnoDB internally treats background encryption/decryption operations that happen when the value of innodb_encrypt_tables changes as a form of a background key rotation operation. Therefore, if you want to disable key rotation checks, then you need to ensure that any pending background/encryption operations are done by checking the status of these operations. Otherwise, you can end up with unencrypted tables that you intended to be encrypted, or vice-versa. See MDEV-14398 about that.

Comments

Comments loading...
Content reproduced on this site is the property of its respective owners, and this content is not reviewed in advance by MariaDB. The views, information and opinions expressed by this content do not necessarily represent those of MariaDB or any other party.