Type: New Feature
Affects Version/s: 5.7.x, Not 5.5.x, Not 5.6.x
Fix Version/s: 5.7.23-24
High level specefication
- Backport 8.0 master key encryption to 5.7, with the setting value (innodb_redo_log_encrypt=) renamed to master_key
- Implement a versioned key encryption named keyring_key
- Both encryption modes should encrypt newly written pages to the redo log.
- If the encryption is turned off, existing pages should be kept encrypted, and readable as long as the keyring used for encryption is available, but newly written pages will be unencrypted.
- Changing encryption modes (e.g. from master_key to keyring_key) isn't allowed, unless the user stops the server and deletes the old redo log
- Encryption can be turned on again, but only to the same mode as before
- master_key mode is based on the innodb master key, but it only affects the redo log header block. Rotating the innodb master key will reencrypt the encryption header, but will keep the other pages as is, using the same key
- With keyring key, the percona_redo key is used. rotate_system_key("percona_redo") will change the key version. This is checked periodically by the innodb master thread, the change could take a few seconds. The innodb_encryption_redo_key_version status variable shows the current key version
- With keyring encryption, every page in the redo log can be encrypted with a different key version
- The version number is stored in the checksum field in the redo log. We recalculate the checksum after encryption, and add the version number to it. During decryption, we calculate the checksum, and the difference between the checksum and the written value will be the version.
- After decryption, the checksum field is restored.
- The version number is 1 when encryption is first started
- After that, rotate_system_key("percona_redo") will increment the version number by 1
- The server notices the new key within a few seconds. After that, new writes will use the new key version