Related Documentation Download this Manual
PDF (US Ltr) - 38.0Mb
PDF (A4) - 38.1Mb
PDF (RPM) - 37.3Mb
HTML Download (TGZ) - 10.2Mb
HTML Download (Zip) - 10.3Mb
HTML Download (RPM) - 8.9Mb
Man Pages (TGZ) - 217.0Kb
Man Pages (Zip) - 329.9Kb
Info (Gzip) - 3.5Mb
Info (Zip) - 3.5Mb
Excerpts from this Manual

MySQL 5.7 Reference Manual  /  MySQL 5.7 Frequently Asked Questions  /  MySQL 5.7 FAQ: InnoDB Tablespace Encryption

A.16 MySQL 5.7 FAQ: InnoDB Tablespace Encryption

A.16.1. Is data decrypted for users who are authorized to see it?
A.16.2. What is the overhead associated with InnoDB tablespace encryption?
A.16.3. What are the encryption algorithms used with InnoDB tablespace encryption?
A.16.4. Is it possible to use 3rd party encryption algorithms in place of the one provided by the InnoDB tablespace encryption feature?
A.16.5. Can indexed columns be encrypted?
A.16.6. What data types and data lengths does InnoDB tablespace encryption support?
A.16.7. Does data remain encrypted on the network?
A.16.8. Does database memory contain clear-text or encrypted data?
A.16.9. How do I know which data to encrypt?
A.16.10. How is InnoDB tablespace encryption different from encryption functions MySQL already provides?
A.16.11. Does the transportable tablespaces feature work with InnoDB tablespace encryption?
A.16.12. Does compression work with InnoDB tablespace encryption?
A.16.13. Can I use mysqlpump or mysqldump with encrypted tables?
A.16.14. How do I change (rotate, re-key) the master encryption key?
A.16.15. How do I migrate data from a clear-text InnoDB tablespace to an encrypted InnoDB tablespace?
A.16.16. Can the InnoDB tablespace encryption feature store the master encryption key in an external device using the PKSC11 interface?

A.16.1.

Is data decrypted for users who are authorized to see it?

Yes. InnoDB tablespace encryption is designed to provide customers with the ability to transparently apply encryption within the database without impacting existing applications. Returning data in encrypted format would break most existing applications. InnoDB tablespace encryption provides the benefit of encryption without the overhead associated with traditional database encryption solutions, which would typically require expensive and substantial changes to applications, database triggers, and views.

A.16.2.

What is the overhead associated with InnoDB tablespace encryption?

There is no additional storage overhead. According to internal benchmarks, performance overhead amounts to a single digit percentage difference.

A.16.3.

What are the encryption algorithms used with InnoDB tablespace encryption?

InnoDB tablespace encryption supports the Advanced Encryption Standard (AES256) block-based encryption algorithm. It uses Electronic Codebook (ECB) block encryption mode for tablespace key encryption and Cipher Block Chaining (CBC) block encryption mode for data encryption.

A.16.4.

Is it possible to use 3rd party encryption algorithms in place of the one provided by the InnoDB tablespace encryption feature?

No, it is not possible to use other encryption algorithms. The provided encryption algorithm is broadly accepted.

A.16.5.

Can indexed columns be encrypted?

InnoDB tablespace encryption supports all indexes transparently.

A.16.6.

What data types and data lengths does InnoDB tablespace encryption support?

InnoDB tablespace encryption supports all supported data types. There is no data length limitation.

A.16.7.

Does data remain encrypted on the network?

Data encrypted by the InnoDB tablespace encryption feature is decrypted when it is read from the tablespace file. Thus, if the data is on the network, it is in clear-text form. However, data on the network can be encrypted using MySQL network encryption, which encrypts data traveling to and from a database using SSL/TLS.

A.16.8.

Does database memory contain clear-text or encrypted data?

With InnoDB tablespace encryption, in-memory data is decrypted, which provides 100% transparency.

A.16.9.

How do I know which data to encrypt?

Compliance with the PCI-DSS standard requires that credit card numbers (Primary Account Number, or 'PAN') be stored in encrypted form. Breach Notification Laws (for example, CA SB 1386, CA AB 1950, and similar laws in 43+ more US states) require encryption of first name, last name, driver license number, and other PII data. In early 2008, CA AB 1298 added medical and health insurance information to PII data. Additionally, industry specific privacy and security standards may require encryption of certain assets. For example, assets such as pharmaceutical research results, oil field exploration results, financial contracts, or personal data of law enforcement informants may require encryption. In the health care industry, the privacy of patient data, health records and X-ray images is of the highest importance.

A.16.10.

How is InnoDB tablespace encryption different from encryption functions MySQL already provides?

There are symmetric and asymmetric encryption APIs in MySQL that can be used to manually encrypt data within the database. However, the application must manage encryption keys and perform required encryption and decryption operations by calling API functions. InnoDB tablespace encryption requires no application changes, is transparent to end users, and provides automated, built-in key management.

A.16.11.

Does the transportable tablespaces feature work with InnoDB tablespace encryption?

Yes. For more information, see Exporting Encrypted Tables.

A.16.12.

Does compression work with InnoDB tablespace encryption?

Customers using InnoDB tablespace encryption receive the full benefit of compression because compression is applied before data blocks are encrypted.

A.16.13.

Can I use mysqlpump or mysqldump with encrypted tables?

Yes. Because these utilities create logical backups, the data dumped from encrypted tables is not encrypted.

A.16.14.

How do I change (rotate, re-key) the master encryption key?

InnoDB tablespace encryption uses a two tier key mechanism. When tablespace encryption is used, individual tablespace keys are stored in the header of the underlying tablespace data file. Tablespace keys are encrypted using the master encryption key. The master encryption key is generated when tablespace encryption is enabled, and is stored outside the database. The master encryption key is rotated using the ALTER INSTANCE ROTATE INNODB MASTER KEY statement, which generates a new master encryption key, stores the key, and rotates the key into use.

A.16.15.

How do I migrate data from a clear-text InnoDB tablespace to an encrypted InnoDB tablespace?

Transferring data from one tablespace to another is not required. To encrypt data in an InnoDB tablespace, run ALTER TABLE tbl_name ENCRYPTION='Y'. InnoDB tablespace encryption is only supported with file-per-table tablespaces.

A.16.16.

Can the InnoDB tablespace encryption feature store the master encryption key in an external device using the PKSC11 interface?

Not at this time. Currently, the KMIP 1.1 protocol is supported with the keyring_okv plugin, which is available with MySQL Enterprise Edition.


User Comments
Sign Up Login You must be logged in to post a comment.