Uploaded image for project: 'Percona Server for MySQL'
  1. Percona Server for MySQL
  2. PS-5772

8.0.16 encryption reconciliation.

Details

    • Admin & Maintenance Task
    • Status: Done
    • High
    • Resolution: Fixed
    • 8.0.x
    • 8.0.16-7
    • None
    • None

    Description

      Upgrade:
      All tables from encrypted tablespace need to have ENCRYPTION='Y' clause
      assigned and DD'table option encryption set to Y. In previous versions
      we have assigned encryption clause and DD encryption option only to
      tablespaces. Thus on update now we need to assign ENCRYPTION='Y' and set
      DD option encryption to Y for all tables that resided in encrypted
      tablespace. Also we can be upgrading from PS with encrypted system
      tablespace (ibdata).

      EXPLICIT ENCRYPTION clause:
      MySQL now adds clause ENCRYPTION=Y/N to all tables. However, in MySQL,
      ENCRYPTION=N it is shown to the user in SHOW CREATE TABLE statement only
      when it resides in schema with DEFAULT ENCRYPTION=Y. Thus only when it
      was explicilty specified that table/space should stay decrypted. We were
      using explicit ENCRYPTION=N clause to mark table/spaces that are to be
      excluded from encryption threads. Thus we also show ENCRYPTION=N when it
      was explicitly specified. This means that in PS - ENCRYPTION=N will show
      up in SHOW CREATE TABLE even if SCHEMA has DEFAULT ENCRYPTION=N. This
      behavior was retained to be able to tests encryption threads - we may
      drop this behavior in favor of ENCRYPTION=NO_ONLINE.

      --innodb-encrypt-tables to --default-table-encryption migration:
      innodb-encrypt-tables has been removed. Now all encryption is directed
      by database's default encryption and default_table_encryption variable.
      Tablespaces and schema's inherit encryption clause from
      default_table_encryption. Tables created in schema must obey schema's
      default encryption when table_encryption_privilege_check - unless user
      has privilege to overwrite table_encryption_privilege_check. Tables
      created in tablespace - of course - must obey tablespace encryption and
      when table_encryption_privilege_check is on - schema's default
      encryption. encryption='y' is no longer added to all tables/tablespaces.
      The code from adjust_encryption_options that was doing that was
      commented out.

      The relation between innodb-encrypt-tables and default-table-encryption
      can be summarized as:
      schema encryption = 'y' && table_encryption_privilege_check = ON => innodb_encrypt_tables = FORCE
      schema encryption = 'y' && table_encryption_privilege_check = OFF => innodb_encrypt_tables = ON
      Please note this is oversimplification and for whole scope of those variables please refer to MySQL
      documentation. For instance user with TABLE_ENCRYPTION_ADMIN can overwrite table_encryption_privilege_check.

      Attachments

        Activity

          People

            robert.golebiowski Robert Golebiowski (Inactive)
            robert.golebiowski Robert Golebiowski (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - Not Specified
                Not Specified
                Logged:
                Time Spent - 4 weeks, 2 hours, 35 minutes
                4w 2h 35m

                Smart Checklist