Uploaded image for project: 'Percona Server'
  1. Percona Server
  2. PS-3822

InnoDB system tablespace encryption

    XMLWordPrintable

    Details

    • Type: New Feature
    • Status: Pending Release
    • Priority: Medium
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 5.7.23-23
    • Component/s: None
    • Labels:
      None

      Description

      High Level Description

      In InnoDB system tablespace, the following data exists:

      1. insert/change buffer
      2. double-write buffer
      3. undo logs (if not configured externally)
      4. User tables if any

      Encrypt all data in system tablespace and also encrypt the parallel double write buffer file.

       

      High Level Design:

      Encryption will be done using Master Key encryption. The decision to make system tablespace encrypted can be done only at bootstrap.  A new variable “innodb_sys_tablespace_encrypt

      will be introduced to encrypt system tablespace. Default is OFF. This variables has to be turned ON and passed as bootstrap parameter to encrypt system tablespace

       

      Variables introduced:

      1. innodb_sys_tablespace_encrypt
      2. innodb_parallel_dblwr_encrypt

       

      Variable semantics:

      1. mysqld --initialize --datadir=./data --innodb_sys_tablespace_encrypt=ON: -> Encrypted SYS
      2. mysqld -initialize --datadir=./data --innodb_sys_tablespace_encrypt=OFF:> Unencrypted SYS
      3. mysqld -initialize --datadir=./data : > Unencrypted SYS
      4. Encrypted system tablespace, startup with --innodb_sys_tablespace_encrypt=OFF -:> ERROR
      5. Unencrypted system tablespace, startup with --innodb_sys_tablespace_encrypt=ON -> ERROR
      6. Encrypted system tablespace, start with missing keyring plugin -> ERROR

      With Master Key encryption, it will not be possible to encrypt existing(already bootstrapped) system tablespaces. Those upgrading from earlier versions, will not be able to encrypt the system tablespace.

      CREATE TABLE semantics:

      Rules:

      1. Table encryption property should match tablespace encryption property for successful creation of table
      2. innodb_encrypt_tables=ON forces creation of encrypted tables unless statement explicitly overrides with ENCRYPTION=’N’ and tablespace is unencrypted
      3. innodb_encrypt_tables=FORCE, disallows creation of unencrypted tables and cannot be overridden by user

      System tablespace is encrypted

      1. CREATE TABLE t1(a INT) TABLESPACE=innodb_system ENCRYPTION='Y' :- table created & encrypted
      2. CREATE TABLE t1(a INT) TABLESPACE=innodb_system, ENCRYPTION='N' :- error
      3. innodb_encrypt_tables=OFF, CREATE TABLE t1(a INT) TABLESPACE=innodb_system :- error
      4. innodb_encrypt_tables=OFF, CREATE TABLE t1(a INT) TABLESPACE=innodb_system ENCRYPTION=’N’ :- error
      5. innodb_encrypt_tables=OFF, CREATE TABLE t1(a INT) TABLESPACE=innodb_system ENCRYPTION=’Y’ :- table created and encrypted
      6. innodb_encrypt_tables=ON, CREATE TABLE t1(a INT) TABLESPACE=innodb_system :- table created & encrypted
      7. innodb_encrypt_tables=ON, CREATE TABLE t1(a INT) TABLESPACE=innodb_system ENCRYPTION=’N’ :- error
      8. innodb_encrypt_tables=ON, CREATE TABLE t1(a INT) TABLESPACE=innodb_system ENCRYPTION=’Y’ :- Table created and encrypted

       

      System tablespace is unencrypted

      1. CREATE TABLE t1(a INT) TABLESPACE=innodb_system ENCRYPTION='Y' :- error
      2. CREATE TABLE t1(a INT) TABLESPACE=innodb_system, ENCRYPTION='N' :- table created and unencrypted
      3. innodb_encrypt_tables=OFF, CREATE TABLE t1(a INT) TABLESPACE=innodb_system :- table created and unencrypted
      4. innodb_encrypt_tables=OFF, CREATE TABLE t1(a INT) TABLESPACE=innodb_system ENCRYPTION=’N’ :- Table created and unencrypted
      5. innodb_encrypt_tables=OFF, CREATE TABLE t1(a INT) TABLESPACE=innodb_system ENCRYPTION=’Y’ :- error
      6. innodb_encrypt_tables=ON, CREATE TABLE t1(a INT) TABLESPACE=innodb_system :- error
      7. innodb_encrypt_tables=ON, CREATE TABLE t1(a INT) TABLESPACE=innodb_system ENCRYPTION=’N’ :- Table created and unencrypted
      8. innodb_encrypt_tables=ON, CREATE TABLE t1(a INT) TABLESPACE=innodb_system ENCRYPTION=’Y’ :- error
      9. innodb_encrypt_tables=FORCE, CREATE TABLE t1( a INT) TABLESPACE = innodb_system :- error
      10. innodb_encrypt_tables=FORCE, CREATE TABLE t1(a INT) TABLESPACE = innodb_system, ENCRYPTION=’N’ :- error

      Doublewrite buffer encryption

      Percona server uses two types of doublewrite buffer

      1. The doublewrite buffer in system tablespace (Used for single page flush)
      2. The Parallel doublewrite buffer (Used for batch flush)

      Double write buffer pages in system tablespace are encrypted only when system tablespace is encrypted. The pages are encrypted using system tablespace key.

      A new option innodb_parallel_dblwr_encrypt is introduced to encrypt parallel doublewrite file.Default is OFF and the option is dynamic.

      When turned on, the pages in parallel doublewrite buffer are encrypted using the respective tablespace key. This means only encrypted tablespace pages are written as encrypted in parallel double write buffer. Unencrypted tablespace pages will be written as unencrypted.

      With the doublewrite buffer, the page is first written to doublewrite buffer and then to the actual tablespace. With encryption enabled, the page is encrypted on both writes.

      Only exemptions are: Page 0 of any tablespace and Pages (0-7) of system tablespace are not written encrypted in doublewrite buffer.

      Upgrade & downgrade

      An instance bootstrapped with encrypted system tablespace, cannot be downgraded and used with lower versions. Lower versions cannot parse encrypted system tablespace pages.

      Key rotation

      The system tablespace key is re-encrypted with the new master key (like any other tablespace keys) using ALTER INSTANCE ROTATE INNODB MASTER KEY

      Limitations

      It is not possible to convert the system tablespace from encrypted to unencrypted or vice versa. A new instance should be created and user tables must be transferred to the desired instance.

      Encryption design doc

      https://docs.google.com/document/d/1BMnAY6d7ODe4TTbA6piGTshB3vVaWXJICHFYJXuuDw8/edit# 

        Attachments

          Activity

            People

            • Assignee:
              satya.bodapati Satya Bodapati
              Reporter:
              sergei.glushchenko Sergei Glushchenko
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 6 weeks, 4 hours, 53 minutes
                6w 4h 53m