Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

InnoDB system tablespace encryption

Description

High Level Description

In InnoDB system tablespace, the following data exists:

  1. insert/change buffer

  2. double-write buffer

  3. undo logs (if not configured externally)

  4. User tables if any

Encrypt all data in system tablespace and also encrypt the parallel double write buffer file.

 

High Level Design:

Encryption will be done using Master Key encryption. The decision to make system tablespace encrypted can be done only at bootstrap.  A new variable “*innodb_sys_tablespace_encrypt*”

will be introduced to encrypt system tablespace. Default is OFF. This variables has to be turned ON and passed as bootstrap parameter to encrypt system tablespace

 

Variables introduced:

  1. innodb_sys_tablespace_encrypt

  2. innodb_parallel_dblwr_encrypt

 

Variable semantics:

  1. mysqld --initialize --datadir=./data --innodb_sys_tablespace_encrypt=ON: -> Encrypted SYS

  2. mysqld -initialize --datadir=./data --innodb_sys_tablespace_encrypt=OFF:> Unencrypted SYS

  3. mysqld -initialize --datadir=./data : > Unencrypted SYS

  4. Encrypted system tablespace, startup with --innodb_sys_tablespace_encrypt=OFF -:> ERROR

  5. Unencrypted system tablespace, startup with --innodb_sys_tablespace_encrypt=ON -> ERROR

  6. Encrypted system tablespace, start with missing keyring plugin -> ERROR

With Master Key encryption, it will not be possible to encrypt existing(already bootstrapped) system tablespaces. Those upgrading from earlier versions, will not be able to encrypt the system tablespace.

CREATE TABLE semantics:

Rules:

  1. Table encryption property should match tablespace encryption property for successful creation of table

  2. innodb_encrypt_tables=ON forces creation of encrypted tables unless statement explicitly overrides with ENCRYPTION=’N’ and tablespace is unencrypted

  3. innodb_encrypt_tables=FORCE, disallows creation of unencrypted tables and cannot be overridden by user

System tablespace is encrypted

  1. CREATE TABLE t1(a INT) TABLESPACE=innodb_system ENCRYPTION='Y' :- table created & encrypted

  2. CREATE TABLE t1(a INT) TABLESPACE=innodb_system, ENCRYPTION='N' :- error

  3. innodb_encrypt_tables=OFF, CREATE TABLE t1(a INT) TABLESPACE=innodb_system :- error

  4. innodb_encrypt_tables=OFF, CREATE TABLE t1(a INT) TABLESPACE=innodb_system ENCRYPTION=’N’ :- error

  5. innodb_encrypt_tables=OFF, CREATE TABLE t1(a INT) TABLESPACE=innodb_system ENCRYPTION=’Y’ :- table created and encrypted

  6. innodb_encrypt_tables=ON, CREATE TABLE t1(a INT) TABLESPACE=innodb_system :- table created & encrypted

  7. innodb_encrypt_tables=ON, CREATE TABLE t1(a INT) TABLESPACE=innodb_system ENCRYPTION=’N’ :- error

  8. innodb_encrypt_tables=ON, CREATE TABLE t1(a INT) TABLESPACE=innodb_system ENCRYPTION=’Y’ :- Table created and encrypted

 

System tablespace is unencrypted

  1. CREATE TABLE t1(a INT) TABLESPACE=innodb_system ENCRYPTION='Y' :- error

  2. CREATE TABLE t1(a INT) TABLESPACE=innodb_system, ENCRYPTION='N' :- table created and unencrypted

  3. innodb_encrypt_tables=OFF, CREATE TABLE t1(a INT) TABLESPACE=innodb_system :- table created and unencrypted

  4. innodb_encrypt_tables=OFF, CREATE TABLE t1(a INT) TABLESPACE=innodb_system ENCRYPTION=’N’ :- Table created and unencrypted

  5. innodb_encrypt_tables=OFF, CREATE TABLE t1(a INT) TABLESPACE=innodb_system ENCRYPTION=’Y’ :- error

  6. innodb_encrypt_tables=ON, CREATE TABLE t1(a INT) TABLESPACE=innodb_system :- error

  7. innodb_encrypt_tables=ON, CREATE TABLE t1(a INT) TABLESPACE=innodb_system ENCRYPTION=’N’ :- Table created and unencrypted

  8. innodb_encrypt_tables=ON, CREATE TABLE t1(a INT) TABLESPACE=innodb_system ENCRYPTION=’Y’ :- error

  9. innodb_encrypt_tables=FORCE, CREATE TABLE t1( a INT) TABLESPACE = innodb_system :- error

  10. innodb_encrypt_tables=FORCE, CREATE TABLE t1(a INT) TABLESPACE = innodb_system, ENCRYPTION=’N’ :- error

Doublewrite buffer encryption

Percona server uses two types of doublewrite buffer

  1. The doublewrite buffer in system tablespace (Used for single page flush)

  2. The Parallel doublewrite buffer (Used for batch flush)

Double write buffer pages in system tablespace are encrypted only when system tablespace is encrypted. The pages are encrypted using system tablespace key.

A new option innodb_parallel_dblwr_encrypt is introduced to encrypt parallel doublewrite file.Default is OFF and the option is dynamic.

When turned on, the pages in parallel doublewrite buffer are encrypted using the respective tablespace key. This means only encrypted tablespace pages are written as encrypted in parallel double write buffer. Unencrypted tablespace pages will be written as unencrypted.

With the doublewrite buffer, the page is first written to doublewrite buffer and then to the actual tablespace. With encryption enabled, the page is encrypted on both writes.

Only exemptions are: Page 0 of any tablespace and Pages (0-7) of system tablespace are not written encrypted in doublewrite buffer.

Upgrade & downgrade

An instance bootstrapped with encrypted system tablespace, cannot be downgraded and used with lower versions. Lower versions cannot parse encrypted system tablespace pages.

Key rotation

The system tablespace key is re-encrypted with the new master key (like any other tablespace keys) using ALTER INSTANCE ROTATE INNODB MASTER KEY

Limitations

It is not possible to convert the system tablespace from encrypted to unencrypted or vice versa. A new instance should be created and user tables must be transferred to the desired instance.

Encryption design doc

https://docs.google.com/document/d/1BMnAY6d7ODe4TTbA6piGTshB3vVaWXJICHFYJXuuDw8/edit# 

Environment

None

Smart Checklist

Activity

Show:

Satya Bodapati May 22, 2019 at 7:57 AM

Function Requirements

-------------------------------------

  1. Should encrypt system tablespace (currently at bootstrap only)

  2. Should encrypt parallel doublewrite buffer file

  3. Shouldn't be able decrypt system tablespace once encrypted.

  4. Moving unencrypted file_per_table tables to encrypted system tablespace should be allowed (with explicit ENCRYPTION='Y')

  5. Moving encrypted file_per_table to encrypted system tablespace should be allowed.

 

Satya Bodapati September 16, 2018 at 3:55 AM

You are right, Thanks for the clarification Roel!

roel.vandepaar September 14, 2018 at 9:04 PM

Just to clarify on that last comment; it is a startup option, but not a "startup option which can stand by itself without using that same option for the init/bootstrap". 

Satya Bodapati September 14, 2018 at 10:15 AM
Edited

For those wondering why innodb_sys_tablespace_encrypt option is not a startup option or dynamic option.

1) it will not make existing data encrypted. Trying to encrypt entire system tablespace at startup will increase the startup time. Needs more involved changes/design to do dynamically at runtime.

2) for the data that already exists in system tabelspace (created with ENCRYPTION=N, TABLESPACE=innodb_system), enable encryption will force that table to be encrypted after future modiciations (essentially disregarding ENCRYPTION='N")

3) simplicity ofcourse, by just enabling at bootstrap

Satya Bodapati September 3, 2018 at 8:33 AM

Hey Roel, Created DOC request: https://jira.percona.com/browse/DOC-796

Done

Details

Assignee

Reporter

Time tracking

6w 6h 23m logged2h remaining

Fix versions

Priority

Smart Checklist

Created February 13, 2018 at 12:45 PM
Updated March 6, 2024 at 1:39 PM
Resolved August 7, 2018 at 10:46 AM