Details

    • Type: Admin & Maintenance Task
    • Status: Done
    • Priority: High
    • Resolution: Fixed
    • Affects Version/s: 8.0
    • Fix Version/s: 8.0.16-7
    • Component/s: None
    • Labels:
      None

      Description

      Upgrade:
      All tables from encrypted tablespace need to have ENCRYPTION='Y' clause
      assigned and DD'table option encryption set to Y. In previous versions
      we have assigned encryption clause and DD encryption option only to
      tablespaces. Thus on update now we need to assign ENCRYPTION='Y' and set
      DD option encryption to Y for all tables that resided in encrypted
      tablespace. Also we can be upgrading from PS with encrypted system
      tablespace (ibdata).

      EXPLICIT ENCRYPTION clause:
      MySQL now adds clause ENCRYPTION=Y/N to all tables. However, in MySQL,
      ENCRYPTION=N it is shown to the user in SHOW CREATE TABLE statement only
      when it resides in schema with DEFAULT ENCRYPTION=Y. Thus only when it
      was explicilty specified that table/space should stay decrypted. We were
      using explicit ENCRYPTION=N clause to mark table/spaces that are to be
      excluded from encryption threads. Thus we also show ENCRYPTION=N when it
      was explicitly specified. This means that in PS - ENCRYPTION=N will show
      up in SHOW CREATE TABLE even if SCHEMA has DEFAULT ENCRYPTION=N. This
      behavior was retained to be able to tests encryption threads - we may
      drop this behavior in favor of ENCRYPTION=NO_ONLINE.

      --innodb-encrypt-tables to --default-table-encryption migration:
      innodb-encrypt-tables has been removed. Now all encryption is directed
      by database's default encryption and default_table_encryption variable.
      Tablespaces and schema's inherit encryption clause from
      default_table_encryption. Tables created in schema must obey schema's
      default encryption when table_encryption_privilege_check - unless user
      has privilege to overwrite table_encryption_privilege_check. Tables
      created in tablespace - of course - must obey tablespace encryption and
      when table_encryption_privilege_check is on - schema's default
      encryption. encryption='y' is no longer added to all tables/tablespaces.
      The code from adjust_encryption_options that was doing that was
      commented out.

      The relation between innodb-encrypt-tables and default-table-encryption
      can be summarized as:
      schema encryption = 'y' && table_encryption_privilege_check = ON => innodb_encrypt_tables = FORCE
      schema encryption = 'y' && table_encryption_privilege_check = OFF => innodb_encrypt_tables = ON
      Please note this is oversimplification and for whole scope of those variables please refer to MySQL
      documentation. For instance user with TABLE_ENCRYPTION_ADMIN can overwrite table_encryption_privilege_check.

        Smart Checklist

          Attachments

            Activity

              People

              • Assignee:
                robert.golebiowski Robert Golebiowski
                Reporter:
                robert.golebiowski Robert Golebiowski
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - Not Specified
                  Not Specified
                  Logged:
                  Time Spent - 4 weeks, 2 hours, 35 minutes
                  4w 2h 35m