We support two redo log encryption modes:
- master_key, as upstream
- keyring_key, a per-page versioned encryption mode
The active encryption mode is chosen using the innodb-redo-log-encypt variable. This currently allows the user to select one mode, then change to the other, resulting in errors if the server has to decrypt earlier redo log blocks. To fix this, we disallow changing redo log encryption modes.
- First, during startup, if the log is already encrypted, we detect the existing encryption mode
- Later, when the user changes this variable, we check against the existing encryption mode. If the logs aren't encrypted, or if they were encrypted in the same mode, we allow the change. Otherwise, we report a warning and leave the variable as is.
- If we changed the encryption mode in the previous step, we also update the existing encryption mode to match it.
This way we disallow both direct (e.g. master_key
> keyring_key) and indirect (e.g. master_key -> off -> server restart -> keyring_key) mode changes, but allow changes back to the same mode (e.g. master_key -> off (> server restarts, etc) -> master_key).
To change the encryption mode, we have to:
- shutdown the server
- delete the redo log files
- start up the server with the new encryption settings